Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-079 Minerals Leasing Act?Subrecipient Monitoring In 1920, the U.S. Congress passed the Minerals Leasing Act. This Act directs the federal Office of Natural Resources Revenue (ONRR) within the U.S. Department of the Interior to share 50 percent of mineral leasing revenue received by the ONRR with states that generate mineral lease revenue. Mineral lease revenue results from payments made to the federal government by companies that lease federal land for the right to extract minerals from that land. According to the Act, revenue is to be used by states as each individual state?s legislature directs, giving priority to those sections of the state that are socially or economically impacted by the extraction of minerals. For Colorado, ONRR distributes Program funds to Treasury, which subgrants?or passes through?Program funds to the Department of Local Affairs (DOLA), the Department of Natural Resources (DNR), the Department of Higher Education (DHE), and the Department of Education (DOE), as prescribed by Section 34-63-102, C.R.S. In turn, DOLA passes the majority of the Program funds it receives to local governments impacted by mineral leasing, such as cities and counties. These local governments are considered subrecipients of the Program, and may use Program monies for ??planning; construction and maintenance of public facilities; and provision of public services.? During Fiscal Year 2022, ONRR distributed approximately $124.9 million in Program revenue to Treasury. Treasury passed all of the Program funds to DOLA, DNR, DHE, and DOE. DOLA then passed approximately $49.2 million of the $52.2 million in Program funds it received to local government subrecipients. DOLA retained the remaining $3.0 million in Program funds to cover administrative costs. DNR, DOE, and DHE spent the Program funds at the state level and did not pass any of the funds through to subrecipients. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether Treasury had adequate internal controls in place over, and complied with, federal subrecipient monitoring and reporting requirements for the Program during Fiscal Year 2022. As part of our testing, we reviewed Treasury?s progress in implementing our Fiscal Year 2020 audit recommendation related to subrecipient monitoring and reporting requirements for the Program. During that audit, we recommended that Treasury strengthen its internal controls to ensure that it complies with federal requirements for subrecipient monitoring and reporting for the Program by developing an effective monitoring process to ensure that required federal award information is communicated to Program subrecipients, including the Assistance Listing Number, program name, federal awarding agency, name of the department awarding the Program monies, Treasury department contact information, and dollar amount. In addition, we recommended that Treasury implement procedures to accurately prepare and submit the Exhibit K1, Schedule of Federal Assistance, to the Office of the State Controller (OSC) for reporting federal assistance information each year and to ensure the Exhibit K1 accurately reflects Program expenditures. During our Fiscal Year 2022 audit, we inquired about Treasury?s monitoring procedures over its Program subrecipients, including its required communications. We also reviewed Treasury?s Exhibit K1 to verify the accuracy of the information reported to the OSC and to assess Treasury?s compliance with federal reporting requirements and the OSC?s instructions. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: Federal regulations [2 CFR 200.303] require that Treasury, as a federal grant recipient, establish and maintain effective internal controls over federal awards that provide reasonable assurance that awards are being managed in compliance with federal statutes, regulation, and the terms and conditions of the federal award. Federal regulations [2 CFR 200.332] further require that Treasury, as the primary recipient of the Program monies, ensure that every subaward it makes is clearly identified to the subrecipient as a subaward, and that Treasury provides specific information about the Program to the subrecipients, including, but not limited to, the following: ? Assistance Listing Number ? Name of the program, name of the federal awarding agency, and name of the department awarding the Program monies ? Contact information for Treasury ? Dollar amount made available to the subrecipient ? Reporting requirements The State and any local governments receiving federal funds are required to present a Schedule of Expenditures of Federal Awards (SEFA) in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Federal regulations [2 CFR 200.501(b)] specifically require that the SEFA include information on each federal award expended during the year, including the total amount provided to subrecipients from each federal award. Any non-federal entity that expends $750,000 or more in total federal awards during the entity?s fiscal year must undergo a Single Audit or program-specific audit for that year. Federal regulations [2 CFR 200.332(f)] further require that Treasury, as the primary recipient of the Program funds, ensure that any non-state subrecipients receiving federal funds from the State during a given fiscal year report the funds on their respective SEFAs and, if applicable, undergo a Single Audit. The Exhibit K1 is used to report federal expenditure information to the OSC to aid the OSC in preparing the State?s SEFA, which reports the total federal awards expended by the State during the fiscal year. The instructions state that the OSC relies on the accuracy of amounts and other information reported on the Exhibit in preparing the SEFA. What problem did the audit work identify? We found that Treasury did not fully implement our prior audit recommendation related to federal subrecipient monitoring for the Program during Fiscal Year 2022. Specifically, we found that Treasury did not communicate, or ensure that DOLA communicated, the required award information and applicable federal compliance requirements to all Program subrecipients in accordance with federal regulations. In response to our prior audit recommendation, Treasury reported that they met with DOLA staff in June 2022 to discuss an interagency agreement that would establish expectations for DOLA to communicate required federal award information and applicable federal compliance requirements for this Program to subrecipients. However, as of the end of the fiscal year, this interagency agreement was not signed or in place. Further, Treasury, as the primary recipient of the Program funds, did not ensure that it or DOLA communicated and followed up with any non-state subrecipients receiving federal funds from the State during Fiscal Year 2022 to ensure the subrecipients reported the funds on their respective SEFAs and, if applicable, underwent a Single Audit. We determined that Treasury implemented part of our prior audit recommendation related to the preparation of its Exhibit K1 in accordance with federal requirements. Specifically, Treasury received information from pass-through departments in order to properly determine whether Program funds ultimately flowed through to subrecipients and reported these funds as ?Expenditures -Passed Through to Subrecipient? on Treasury?s Exhibit K1. Why did this problem occur? Treasury did not have adequate internal controls in place during Fiscal Year 2022 to ensure that it complied with federal subrecipient monitoring requirements for the Program. Specifically, Treasury staff did not effectively communicate with DOLA staff about their responsibility for subrecipient reporting or have a monitoring process in place to ensure that either Treasury or DOLA staff communicated required federal award information and related federal reporting requirements to all subrecipients of Program funds, including a communication that any subrecipients receiving Program funds from the State during Fiscal Year 2022 are required to report the funds on their respective SEFAs and, if applicable, undergo a Single Audit. Why does this problem matter? By not communicating required information to subrecipients, Treasury failed to comply with federal subrecipient monitoring requirements for the Program. This communication is necessary to ensure that subrecipients are aware of the federal requirements for the funds, including the requirement that local governments properly report federal expenditures on their SEFAs. Treasury?s insufficient monitoring of Program subrecipients could result in future federal funding being reduced. In addition, if Treasury does not appropriately communicate SEFA reporting requirements to other state agencies and non-state subrecipients in the future, it could ultimately result in local governments not undergoing Single Audits, as required. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-079 The Department of the Treasury (Treasury) should strengthen its internal controls to ensure that it complies with federal requirements for subrecipient monitoring and reporting for the Minerals Leasing Act program (Program). This should include developing effective processes to ensure that required federal award information, including the Assistance Listing Number, federal program name, and dollar amount made available to the subrecipient, and the related federal requirements are communicated to Program subrecipients, and that the subrecipients report the funds on their respective annual Schedules of Expenditures of Federal Awards and, if applicable, undergo a Single Audit. Response Department of The Treasury Agree Implementation Date: June 30, 2023 The Department of the Treasury (Treasury) strengthened its internal controls with DOLA?s agreement to disseminate the necessary information to the subrecipients in compliance with federal requirements for subrecipient monitoring and reporting for the Minerals Leasing Act program (Program) at the earliest possible opportunity following receipt of the recommendation in the previous FYE?s report as the monitoring and reporting for the Program could only be performed following the annual distribution of such funds which took place subsequent to FYE 2022. The Department will formalize an Interagency Agreement with DOLA and any other relevant parties, incorporating additional corrective action before the stated date above (June 30, 2023).
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Local Affairs (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-066 Section 8 Housing Choice Vouchers and Mainstream Vouchers Programs?Internal Controls over the Waiting List The Department annually receives advance payments from the federal government for the Housing Voucher Programs (Program) to provide tenant-based subsidies for rent paid by low-income households. A housing subsidy is paid to the landlord directly by the Department on behalf of the Program?s participants. During Fiscal Year 2021, the Department incurred approximately $62.9 million in federal costs for the Housing Voucher Programs. Federal regulation [24 CFR 982.54] requires the Department to have an administrative plan to establish policies for carrying out the Program in a manner consistent with the U.S. Department of Housing and Urban Development (HUD) requirements and local goals and objectives. HUD requires the Division of Housing (DOH), a section within the Department, to place all families that apply for assistance on a waiting list. DOH must select families from the waiting list and maintain clear records of all information required to verify that the family is selected from the waiting list according to HUD requirements and Department policies as stated in the Department?s administrative plan [24 CFR 982.204(b) and 982.207(e)]. The DOH maintains the waiting list in an electronic database within its Public Housing Agencies (PHA) Software, called Emphasys Elite. DOH has established preferences for order of selection off of the waiting list, and gives priority or first preference (point system) to serving families that meet various criteria, including someone experiencing homelessness, a person with a disability, households that include victims of domestic violence, etc. The second preference for selecting from the waiting list is based on when DOH placed the individual on the waiting list, by date and time. HUD may also award the Department funding for a specified category of families on the waiting list (targeted funding [24 CFR 982.204(e)]). DOH must use this funding only to assist families within the specified category allowed by the targeted funding. DOH administers the following types of targeted funding: Veterans Affairs Supporting Housing (VASH), Non-Elderly Disabled, Family Unification Program, and Family Self-Sufficiency. DOH delegates some of its voucher administration responsibilities, such as application reviews and interviews with applicants, to agencies that provide housing services to applicants and participants of the Program. These agencies, or contractors, include public housing authorities, community mental health centers, community centered boards or their contract service agencies, independent living centers, the Veterans Affairs Medical Center (VAMC), homeless service providers, and others. DOH will enter into a contract with these agencies that outline each party?s responsibilities. Contractors employ housing coordinators who assist applicants and participants to complete the necessary Program documentation and understand regulations to help them acquire and maintain units that conform to Program regulations. DOH provides each contractor with vouchers to give eligible applicants. When a contractor has available vouchers, it will ask the DOH to select and issue the next name(s) from its waiting list. DOH then uses its electronic database to select individuals from the waiting list. In order for an applicant to receive the voucher, the applicant must first attend an interview with the contractor. At the interview, the contractor will determine whether the applicant is eligible based on requiring the applicant to complete a full application and provide proof of income sources, social security number, citizenship status, release of information forms, federal or state-issued picture ID, and birth certificate, as well as the contractor?s verification of those items. If it is determined at the interview that the applicant is not eligible, the voucher will be terminated in the Emphasys Elite system and the voucher can be used for the next applicant in line on the waiting list. HUD regulations require that all families have an equal opportunity to apply for and receive housing assistance [24 CFR 982.53]. DOH must also have policies regarding various aspects of organizing and managing the waiting list of applicant families. This includes opening the list to new applicants, closing the list to new applicants, notifying the public of waiting list openings and closings, updating waiting list information, and removing families that are no longer interested in or eligible for assistance from the list. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place over, and complied with, federal requirements related to the Program?s waiting list during Fiscal Year 2021. We requested and obtained a report from the Department that showed all individuals that were added to the Program during Fiscal Year 2021. We selected and tested 40 of these individuals admitted to the Program during Fiscal Year 2021 to determine if they were selected from the waiting list in accordance with the Department?s applicant selection policies. We also requested and obtained another report from the Department that showed any individuals selected from the waiting list due to reaching the top position on the waiting list during Fiscal Year 2021, regardless of whether the individuals were added or not added to the Program. From this report, we selected and tested 40 different individuals to ascertain if they were admitted to the Program or provided the opportunity to be admitted to the Program in accordance with the Department?s applicant selection policies. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [24 CFR 5.410, 982.54(d), and 982.201 through 982.207] require the Department to have written policies in its administrative plan for selecting applicants from the waiting list and documentation must show that the Department follows these policies when selecting applicants for admission from the waiting list. Selection from the waiting list generally occurs when the Department notifies a family whose name reaches the top of the waiting list to come in to verify eligibility for admission to the Program. ? The Department?s administrative plan states that when a family wishes to receive assistance under the Program, the family must submit an application that provides DOH with the information needed to determine the family?s eligibility [HCV GB, pp. 4-11 ? 4-16, Notice PIH 2009-36]. ? Federal regulation [24 CFR 982.207] requires that DOH select applicant families from the waiting list first by preference and secondly by date and time of application. ? Federal regulations [24 CFR 982.554(a)] specify that when a family has been selected from the waiting list for an application interview, DOH and/or its contractor will notify the family and the family will be required to participate in the interview. The notice must inform the family of the date, time, and location of the scheduled application interview, who is required to attend the interview, and all documents that must be provided by the family at the interview. ? Federal regulations [24 CFR 982.201(f) and 982.204(c)] establish the rules for removing Program participants from the waiting list. If at any time an applicant family is on the waiting list and DOH determines that the family is not eligible for assistance, the family will be removed from the waiting list. Federal regulations further state the family may also remove itself from the waiting list at any time by requesting removal in writing. If a family is removed from the waiting list because DOH has determined the family is not eligible for assistance, a notice must be sent to the family?s address of record as well as to any alternate address provided on the initial application. The notice must state the reasons the family was removed from the waiting list and inform the family how to request an informal review regarding DOH?s decision. ? Uniform Guidance [2 CFR 200.303] requires that the Department, as a federal grant recipient, establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. What problems did the audit work identify? During our testing of 40 individuals admitted to the Program during Fiscal Year 2021, we found that the Department could not provide appropriate support for 5 of the 40 (12.5 percent) tenant files reviewed. Specifically: ? For five individuals, the Department could not provide documentation of the eligibility interview. ? For one of those five individuals, the Department also could not locate the individual?s application. During our testing of 40 individuals that the Department selected from the waiting list due to the individuals reaching the top of the waiting list during Fiscal Year 2021, we found certain issues with 8 of the 40 (20 percent) tenant files reviewed. Specifically: ? In five instances, individuals were selected from the waiting list out of turn; therefore, they were not at the top of the waiting list when selected, as required. ? In three instances, the Department could not provide the applications for the individuals. Why did these problems occur? The Department lacked internal controls over the Program?s waiting list. Specifically, the Department is not ensuring its contractors are maintaining supporting documentation within tenant files, including interview documentation and applications. Both the Department and its contractors experienced employee turnover in Fiscal Year 2021. Although the Department conducted monthly webinars for various training manuals, including the administrative plan, and made training materials available for future reference, new employees did not receive sufficient training to ensure the Department complied with Program requirements over the waiting list. In addition, the Department did not properly train the DOH employees on the policies and procedures for maintaining and selecting applicants from the waiting list, which ultimately led to applicants being incorrectly selected from the waiting list. Specifically, DOH did not properly update the waiting list for new applicants and addressing unused vouchers from prior selections, which caused individuals to be incorrectly selected from the waiting list. Why do these problems matter? By not maintaining the waiting list supporting documentation, including interview documentation and applications, the Department cannot ensure that all tenants are eligible or qualified to participate in the Program. The Department must ensure it maintains accurate and complete tenant files to demonstrate compliance with federal requirements. Additionally, by not training employees properly on the Department?s policies and procedures surrounding the waiting list, applicants are at risk of being improperly removed from the waiting list and not given the opportunity to receive funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-066 The Department of Local Affairs (Department) should strengthen its internal controls to ensure it complies with waiting list requirements for the federal Section 8 Housing Choice Vouchers and Mainstream Vouchers programs. Specifically, this should include the Department developing and providing a training plan for its contractors that covers all of the programs? requirements on an ongoing basis. In addition, the Department should ensure its new employees are trained and able to properly run the waiting list in accordance with the Department?s policies and procedures, which includes ensuring the waiting list is properly updated for new applicants and addressing unused vouchers prior to making waiting list selections. Response Department of Local Affairs Agree Implementation Date: February 2023 The Department of Local Affairs (Department) agrees with the recommendation. The Department will strengthen its internal controls through the development of an onboarding program that will include different modules that new employees and/or contractors must work through to receive certification. These modules will include all relevant steps associated with the waiting list process.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Local Affairs (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-066 Section 8 Housing Choice Vouchers and Mainstream Vouchers Programs?Internal Controls over the Waiting List The Department annually receives advance payments from the federal government for the Housing Voucher Programs (Program) to provide tenant-based subsidies for rent paid by low-income households. A housing subsidy is paid to the landlord directly by the Department on behalf of the Program?s participants. During Fiscal Year 2021, the Department incurred approximately $62.9 million in federal costs for the Housing Voucher Programs. Federal regulation [24 CFR 982.54] requires the Department to have an administrative plan to establish policies for carrying out the Program in a manner consistent with the U.S. Department of Housing and Urban Development (HUD) requirements and local goals and objectives. HUD requires the Division of Housing (DOH), a section within the Department, to place all families that apply for assistance on a waiting list. DOH must select families from the waiting list and maintain clear records of all information required to verify that the family is selected from the waiting list according to HUD requirements and Department policies as stated in the Department?s administrative plan [24 CFR 982.204(b) and 982.207(e)]. The DOH maintains the waiting list in an electronic database within its Public Housing Agencies (PHA) Software, called Emphasys Elite. DOH has established preferences for order of selection off of the waiting list, and gives priority or first preference (point system) to serving families that meet various criteria, including someone experiencing homelessness, a person with a disability, households that include victims of domestic violence, etc. The second preference for selecting from the waiting list is based on when DOH placed the individual on the waiting list, by date and time. HUD may also award the Department funding for a specified category of families on the waiting list (targeted funding [24 CFR 982.204(e)]). DOH must use this funding only to assist families within the specified category allowed by the targeted funding. DOH administers the following types of targeted funding: Veterans Affairs Supporting Housing (VASH), Non-Elderly Disabled, Family Unification Program, and Family Self-Sufficiency. DOH delegates some of its voucher administration responsibilities, such as application reviews and interviews with applicants, to agencies that provide housing services to applicants and participants of the Program. These agencies, or contractors, include public housing authorities, community mental health centers, community centered boards or their contract service agencies, independent living centers, the Veterans Affairs Medical Center (VAMC), homeless service providers, and others. DOH will enter into a contract with these agencies that outline each party?s responsibilities. Contractors employ housing coordinators who assist applicants and participants to complete the necessary Program documentation and understand regulations to help them acquire and maintain units that conform to Program regulations. DOH provides each contractor with vouchers to give eligible applicants. When a contractor has available vouchers, it will ask the DOH to select and issue the next name(s) from its waiting list. DOH then uses its electronic database to select individuals from the waiting list. In order for an applicant to receive the voucher, the applicant must first attend an interview with the contractor. At the interview, the contractor will determine whether the applicant is eligible based on requiring the applicant to complete a full application and provide proof of income sources, social security number, citizenship status, release of information forms, federal or state-issued picture ID, and birth certificate, as well as the contractor?s verification of those items. If it is determined at the interview that the applicant is not eligible, the voucher will be terminated in the Emphasys Elite system and the voucher can be used for the next applicant in line on the waiting list. HUD regulations require that all families have an equal opportunity to apply for and receive housing assistance [24 CFR 982.53]. DOH must also have policies regarding various aspects of organizing and managing the waiting list of applicant families. This includes opening the list to new applicants, closing the list to new applicants, notifying the public of waiting list openings and closings, updating waiting list information, and removing families that are no longer interested in or eligible for assistance from the list. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place over, and complied with, federal requirements related to the Program?s waiting list during Fiscal Year 2021. We requested and obtained a report from the Department that showed all individuals that were added to the Program during Fiscal Year 2021. We selected and tested 40 of these individuals admitted to the Program during Fiscal Year 2021 to determine if they were selected from the waiting list in accordance with the Department?s applicant selection policies. We also requested and obtained another report from the Department that showed any individuals selected from the waiting list due to reaching the top position on the waiting list during Fiscal Year 2021, regardless of whether the individuals were added or not added to the Program. From this report, we selected and tested 40 different individuals to ascertain if they were admitted to the Program or provided the opportunity to be admitted to the Program in accordance with the Department?s applicant selection policies. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [24 CFR 5.410, 982.54(d), and 982.201 through 982.207] require the Department to have written policies in its administrative plan for selecting applicants from the waiting list and documentation must show that the Department follows these policies when selecting applicants for admission from the waiting list. Selection from the waiting list generally occurs when the Department notifies a family whose name reaches the top of the waiting list to come in to verify eligibility for admission to the Program. ? The Department?s administrative plan states that when a family wishes to receive assistance under the Program, the family must submit an application that provides DOH with the information needed to determine the family?s eligibility [HCV GB, pp. 4-11 ? 4-16, Notice PIH 2009-36]. ? Federal regulation [24 CFR 982.207] requires that DOH select applicant families from the waiting list first by preference and secondly by date and time of application. ? Federal regulations [24 CFR 982.554(a)] specify that when a family has been selected from the waiting list for an application interview, DOH and/or its contractor will notify the family and the family will be required to participate in the interview. The notice must inform the family of the date, time, and location of the scheduled application interview, who is required to attend the interview, and all documents that must be provided by the family at the interview. ? Federal regulations [24 CFR 982.201(f) and 982.204(c)] establish the rules for removing Program participants from the waiting list. If at any time an applicant family is on the waiting list and DOH determines that the family is not eligible for assistance, the family will be removed from the waiting list. Federal regulations further state the family may also remove itself from the waiting list at any time by requesting removal in writing. If a family is removed from the waiting list because DOH has determined the family is not eligible for assistance, a notice must be sent to the family?s address of record as well as to any alternate address provided on the initial application. The notice must state the reasons the family was removed from the waiting list and inform the family how to request an informal review regarding DOH?s decision. ? Uniform Guidance [2 CFR 200.303] requires that the Department, as a federal grant recipient, establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. What problems did the audit work identify? During our testing of 40 individuals admitted to the Program during Fiscal Year 2021, we found that the Department could not provide appropriate support for 5 of the 40 (12.5 percent) tenant files reviewed. Specifically: ? For five individuals, the Department could not provide documentation of the eligibility interview. ? For one of those five individuals, the Department also could not locate the individual?s application. During our testing of 40 individuals that the Department selected from the waiting list due to the individuals reaching the top of the waiting list during Fiscal Year 2021, we found certain issues with 8 of the 40 (20 percent) tenant files reviewed. Specifically: ? In five instances, individuals were selected from the waiting list out of turn; therefore, they were not at the top of the waiting list when selected, as required. ? In three instances, the Department could not provide the applications for the individuals. Why did these problems occur? The Department lacked internal controls over the Program?s waiting list. Specifically, the Department is not ensuring its contractors are maintaining supporting documentation within tenant files, including interview documentation and applications. Both the Department and its contractors experienced employee turnover in Fiscal Year 2021. Although the Department conducted monthly webinars for various training manuals, including the administrative plan, and made training materials available for future reference, new employees did not receive sufficient training to ensure the Department complied with Program requirements over the waiting list. In addition, the Department did not properly train the DOH employees on the policies and procedures for maintaining and selecting applicants from the waiting list, which ultimately led to applicants being incorrectly selected from the waiting list. Specifically, DOH did not properly update the waiting list for new applicants and addressing unused vouchers from prior selections, which caused individuals to be incorrectly selected from the waiting list. Why do these problems matter? By not maintaining the waiting list supporting documentation, including interview documentation and applications, the Department cannot ensure that all tenants are eligible or qualified to participate in the Program. The Department must ensure it maintains accurate and complete tenant files to demonstrate compliance with federal requirements. Additionally, by not training employees properly on the Department?s policies and procedures surrounding the waiting list, applicants are at risk of being improperly removed from the waiting list and not given the opportunity to receive funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-066 The Department of Local Affairs (Department) should strengthen its internal controls to ensure it complies with waiting list requirements for the federal Section 8 Housing Choice Vouchers and Mainstream Vouchers programs. Specifically, this should include the Department developing and providing a training plan for its contractors that covers all of the programs? requirements on an ongoing basis. In addition, the Department should ensure its new employees are trained and able to properly run the waiting list in accordance with the Department?s policies and procedures, which includes ensuring the waiting list is properly updated for new applicants and addressing unused vouchers prior to making waiting list selections. Response Department of Local Affairs Agree Implementation Date: February 2023 The Department of Local Affairs (Department) agrees with the recommendation. The Department will strengthen its internal controls through the development of an onboarding program that will include different modules that new employees and/or contractors must work through to receive certification. These modules will include all relevant steps associated with the waiting list process.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Local Affairs (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-066 Section 8 Housing Choice Vouchers and Mainstream Vouchers Programs?Internal Controls over the Waiting List The Department annually receives advance payments from the federal government for the Housing Voucher Programs (Program) to provide tenant-based subsidies for rent paid by low-income households. A housing subsidy is paid to the landlord directly by the Department on behalf of the Program?s participants. During Fiscal Year 2021, the Department incurred approximately $62.9 million in federal costs for the Housing Voucher Programs. Federal regulation [24 CFR 982.54] requires the Department to have an administrative plan to establish policies for carrying out the Program in a manner consistent with the U.S. Department of Housing and Urban Development (HUD) requirements and local goals and objectives. HUD requires the Division of Housing (DOH), a section within the Department, to place all families that apply for assistance on a waiting list. DOH must select families from the waiting list and maintain clear records of all information required to verify that the family is selected from the waiting list according to HUD requirements and Department policies as stated in the Department?s administrative plan [24 CFR 982.204(b) and 982.207(e)]. The DOH maintains the waiting list in an electronic database within its Public Housing Agencies (PHA) Software, called Emphasys Elite. DOH has established preferences for order of selection off of the waiting list, and gives priority or first preference (point system) to serving families that meet various criteria, including someone experiencing homelessness, a person with a disability, households that include victims of domestic violence, etc. The second preference for selecting from the waiting list is based on when DOH placed the individual on the waiting list, by date and time. HUD may also award the Department funding for a specified category of families on the waiting list (targeted funding [24 CFR 982.204(e)]). DOH must use this funding only to assist families within the specified category allowed by the targeted funding. DOH administers the following types of targeted funding: Veterans Affairs Supporting Housing (VASH), Non-Elderly Disabled, Family Unification Program, and Family Self-Sufficiency. DOH delegates some of its voucher administration responsibilities, such as application reviews and interviews with applicants, to agencies that provide housing services to applicants and participants of the Program. These agencies, or contractors, include public housing authorities, community mental health centers, community centered boards or their contract service agencies, independent living centers, the Veterans Affairs Medical Center (VAMC), homeless service providers, and others. DOH will enter into a contract with these agencies that outline each party?s responsibilities. Contractors employ housing coordinators who assist applicants and participants to complete the necessary Program documentation and understand regulations to help them acquire and maintain units that conform to Program regulations. DOH provides each contractor with vouchers to give eligible applicants. When a contractor has available vouchers, it will ask the DOH to select and issue the next name(s) from its waiting list. DOH then uses its electronic database to select individuals from the waiting list. In order for an applicant to receive the voucher, the applicant must first attend an interview with the contractor. At the interview, the contractor will determine whether the applicant is eligible based on requiring the applicant to complete a full application and provide proof of income sources, social security number, citizenship status, release of information forms, federal or state-issued picture ID, and birth certificate, as well as the contractor?s verification of those items. If it is determined at the interview that the applicant is not eligible, the voucher will be terminated in the Emphasys Elite system and the voucher can be used for the next applicant in line on the waiting list. HUD regulations require that all families have an equal opportunity to apply for and receive housing assistance [24 CFR 982.53]. DOH must also have policies regarding various aspects of organizing and managing the waiting list of applicant families. This includes opening the list to new applicants, closing the list to new applicants, notifying the public of waiting list openings and closings, updating waiting list information, and removing families that are no longer interested in or eligible for assistance from the list. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place over, and complied with, federal requirements related to the Program?s waiting list during Fiscal Year 2021. We requested and obtained a report from the Department that showed all individuals that were added to the Program during Fiscal Year 2021. We selected and tested 40 of these individuals admitted to the Program during Fiscal Year 2021 to determine if they were selected from the waiting list in accordance with the Department?s applicant selection policies. We also requested and obtained another report from the Department that showed any individuals selected from the waiting list due to reaching the top position on the waiting list during Fiscal Year 2021, regardless of whether the individuals were added or not added to the Program. From this report, we selected and tested 40 different individuals to ascertain if they were admitted to the Program or provided the opportunity to be admitted to the Program in accordance with the Department?s applicant selection policies. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [24 CFR 5.410, 982.54(d), and 982.201 through 982.207] require the Department to have written policies in its administrative plan for selecting applicants from the waiting list and documentation must show that the Department follows these policies when selecting applicants for admission from the waiting list. Selection from the waiting list generally occurs when the Department notifies a family whose name reaches the top of the waiting list to come in to verify eligibility for admission to the Program. ? The Department?s administrative plan states that when a family wishes to receive assistance under the Program, the family must submit an application that provides DOH with the information needed to determine the family?s eligibility [HCV GB, pp. 4-11 ? 4-16, Notice PIH 2009-36]. ? Federal regulation [24 CFR 982.207] requires that DOH select applicant families from the waiting list first by preference and secondly by date and time of application. ? Federal regulations [24 CFR 982.554(a)] specify that when a family has been selected from the waiting list for an application interview, DOH and/or its contractor will notify the family and the family will be required to participate in the interview. The notice must inform the family of the date, time, and location of the scheduled application interview, who is required to attend the interview, and all documents that must be provided by the family at the interview. ? Federal regulations [24 CFR 982.201(f) and 982.204(c)] establish the rules for removing Program participants from the waiting list. If at any time an applicant family is on the waiting list and DOH determines that the family is not eligible for assistance, the family will be removed from the waiting list. Federal regulations further state the family may also remove itself from the waiting list at any time by requesting removal in writing. If a family is removed from the waiting list because DOH has determined the family is not eligible for assistance, a notice must be sent to the family?s address of record as well as to any alternate address provided on the initial application. The notice must state the reasons the family was removed from the waiting list and inform the family how to request an informal review regarding DOH?s decision. ? Uniform Guidance [2 CFR 200.303] requires that the Department, as a federal grant recipient, establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. What problems did the audit work identify? During our testing of 40 individuals admitted to the Program during Fiscal Year 2021, we found that the Department could not provide appropriate support for 5 of the 40 (12.5 percent) tenant files reviewed. Specifically: ? For five individuals, the Department could not provide documentation of the eligibility interview. ? For one of those five individuals, the Department also could not locate the individual?s application. During our testing of 40 individuals that the Department selected from the waiting list due to the individuals reaching the top of the waiting list during Fiscal Year 2021, we found certain issues with 8 of the 40 (20 percent) tenant files reviewed. Specifically: ? In five instances, individuals were selected from the waiting list out of turn; therefore, they were not at the top of the waiting list when selected, as required. ? In three instances, the Department could not provide the applications for the individuals. Why did these problems occur? The Department lacked internal controls over the Program?s waiting list. Specifically, the Department is not ensuring its contractors are maintaining supporting documentation within tenant files, including interview documentation and applications. Both the Department and its contractors experienced employee turnover in Fiscal Year 2021. Although the Department conducted monthly webinars for various training manuals, including the administrative plan, and made training materials available for future reference, new employees did not receive sufficient training to ensure the Department complied with Program requirements over the waiting list. In addition, the Department did not properly train the DOH employees on the policies and procedures for maintaining and selecting applicants from the waiting list, which ultimately led to applicants being incorrectly selected from the waiting list. Specifically, DOH did not properly update the waiting list for new applicants and addressing unused vouchers from prior selections, which caused individuals to be incorrectly selected from the waiting list. Why do these problems matter? By not maintaining the waiting list supporting documentation, including interview documentation and applications, the Department cannot ensure that all tenants are eligible or qualified to participate in the Program. The Department must ensure it maintains accurate and complete tenant files to demonstrate compliance with federal requirements. Additionally, by not training employees properly on the Department?s policies and procedures surrounding the waiting list, applicants are at risk of being improperly removed from the waiting list and not given the opportunity to receive funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-066 The Department of Local Affairs (Department) should strengthen its internal controls to ensure it complies with waiting list requirements for the federal Section 8 Housing Choice Vouchers and Mainstream Vouchers programs. Specifically, this should include the Department developing and providing a training plan for its contractors that covers all of the programs? requirements on an ongoing basis. In addition, the Department should ensure its new employees are trained and able to properly run the waiting list in accordance with the Department?s policies and procedures, which includes ensuring the waiting list is properly updated for new applicants and addressing unused vouchers prior to making waiting list selections. Response Department of Local Affairs Agree Implementation Date: February 2023 The Department of Local Affairs (Department) agrees with the recommendation. The Department will strengthen its internal controls through the development of an onboarding program that will include different modules that new employees and/or contractors must work through to receive certification. These modules will include all relevant steps associated with the waiting list process.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Local Affairs (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-066 Section 8 Housing Choice Vouchers and Mainstream Vouchers Programs?Internal Controls over the Waiting List The Department annually receives advance payments from the federal government for the Housing Voucher Programs (Program) to provide tenant-based subsidies for rent paid by low-income households. A housing subsidy is paid to the landlord directly by the Department on behalf of the Program?s participants. During Fiscal Year 2021, the Department incurred approximately $62.9 million in federal costs for the Housing Voucher Programs. Federal regulation [24 CFR 982.54] requires the Department to have an administrative plan to establish policies for carrying out the Program in a manner consistent with the U.S. Department of Housing and Urban Development (HUD) requirements and local goals and objectives. HUD requires the Division of Housing (DOH), a section within the Department, to place all families that apply for assistance on a waiting list. DOH must select families from the waiting list and maintain clear records of all information required to verify that the family is selected from the waiting list according to HUD requirements and Department policies as stated in the Department?s administrative plan [24 CFR 982.204(b) and 982.207(e)]. The DOH maintains the waiting list in an electronic database within its Public Housing Agencies (PHA) Software, called Emphasys Elite. DOH has established preferences for order of selection off of the waiting list, and gives priority or first preference (point system) to serving families that meet various criteria, including someone experiencing homelessness, a person with a disability, households that include victims of domestic violence, etc. The second preference for selecting from the waiting list is based on when DOH placed the individual on the waiting list, by date and time. HUD may also award the Department funding for a specified category of families on the waiting list (targeted funding [24 CFR 982.204(e)]). DOH must use this funding only to assist families within the specified category allowed by the targeted funding. DOH administers the following types of targeted funding: Veterans Affairs Supporting Housing (VASH), Non-Elderly Disabled, Family Unification Program, and Family Self-Sufficiency. DOH delegates some of its voucher administration responsibilities, such as application reviews and interviews with applicants, to agencies that provide housing services to applicants and participants of the Program. These agencies, or contractors, include public housing authorities, community mental health centers, community centered boards or their contract service agencies, independent living centers, the Veterans Affairs Medical Center (VAMC), homeless service providers, and others. DOH will enter into a contract with these agencies that outline each party?s responsibilities. Contractors employ housing coordinators who assist applicants and participants to complete the necessary Program documentation and understand regulations to help them acquire and maintain units that conform to Program regulations. DOH provides each contractor with vouchers to give eligible applicants. When a contractor has available vouchers, it will ask the DOH to select and issue the next name(s) from its waiting list. DOH then uses its electronic database to select individuals from the waiting list. In order for an applicant to receive the voucher, the applicant must first attend an interview with the contractor. At the interview, the contractor will determine whether the applicant is eligible based on requiring the applicant to complete a full application and provide proof of income sources, social security number, citizenship status, release of information forms, federal or state-issued picture ID, and birth certificate, as well as the contractor?s verification of those items. If it is determined at the interview that the applicant is not eligible, the voucher will be terminated in the Emphasys Elite system and the voucher can be used for the next applicant in line on the waiting list. HUD regulations require that all families have an equal opportunity to apply for and receive housing assistance [24 CFR 982.53]. DOH must also have policies regarding various aspects of organizing and managing the waiting list of applicant families. This includes opening the list to new applicants, closing the list to new applicants, notifying the public of waiting list openings and closings, updating waiting list information, and removing families that are no longer interested in or eligible for assistance from the list. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place over, and complied with, federal requirements related to the Program?s waiting list during Fiscal Year 2021. We requested and obtained a report from the Department that showed all individuals that were added to the Program during Fiscal Year 2021. We selected and tested 40 of these individuals admitted to the Program during Fiscal Year 2021 to determine if they were selected from the waiting list in accordance with the Department?s applicant selection policies. We also requested and obtained another report from the Department that showed any individuals selected from the waiting list due to reaching the top position on the waiting list during Fiscal Year 2021, regardless of whether the individuals were added or not added to the Program. From this report, we selected and tested 40 different individuals to ascertain if they were admitted to the Program or provided the opportunity to be admitted to the Program in accordance with the Department?s applicant selection policies. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [24 CFR 5.410, 982.54(d), and 982.201 through 982.207] require the Department to have written policies in its administrative plan for selecting applicants from the waiting list and documentation must show that the Department follows these policies when selecting applicants for admission from the waiting list. Selection from the waiting list generally occurs when the Department notifies a family whose name reaches the top of the waiting list to come in to verify eligibility for admission to the Program. ? The Department?s administrative plan states that when a family wishes to receive assistance under the Program, the family must submit an application that provides DOH with the information needed to determine the family?s eligibility [HCV GB, pp. 4-11 ? 4-16, Notice PIH 2009-36]. ? Federal regulation [24 CFR 982.207] requires that DOH select applicant families from the waiting list first by preference and secondly by date and time of application. ? Federal regulations [24 CFR 982.554(a)] specify that when a family has been selected from the waiting list for an application interview, DOH and/or its contractor will notify the family and the family will be required to participate in the interview. The notice must inform the family of the date, time, and location of the scheduled application interview, who is required to attend the interview, and all documents that must be provided by the family at the interview. ? Federal regulations [24 CFR 982.201(f) and 982.204(c)] establish the rules for removing Program participants from the waiting list. If at any time an applicant family is on the waiting list and DOH determines that the family is not eligible for assistance, the family will be removed from the waiting list. Federal regulations further state the family may also remove itself from the waiting list at any time by requesting removal in writing. If a family is removed from the waiting list because DOH has determined the family is not eligible for assistance, a notice must be sent to the family?s address of record as well as to any alternate address provided on the initial application. The notice must state the reasons the family was removed from the waiting list and inform the family how to request an informal review regarding DOH?s decision. ? Uniform Guidance [2 CFR 200.303] requires that the Department, as a federal grant recipient, establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. What problems did the audit work identify? During our testing of 40 individuals admitted to the Program during Fiscal Year 2021, we found that the Department could not provide appropriate support for 5 of the 40 (12.5 percent) tenant files reviewed. Specifically: ? For five individuals, the Department could not provide documentation of the eligibility interview. ? For one of those five individuals, the Department also could not locate the individual?s application. During our testing of 40 individuals that the Department selected from the waiting list due to the individuals reaching the top of the waiting list during Fiscal Year 2021, we found certain issues with 8 of the 40 (20 percent) tenant files reviewed. Specifically: ? In five instances, individuals were selected from the waiting list out of turn; therefore, they were not at the top of the waiting list when selected, as required. ? In three instances, the Department could not provide the applications for the individuals. Why did these problems occur? The Department lacked internal controls over the Program?s waiting list. Specifically, the Department is not ensuring its contractors are maintaining supporting documentation within tenant files, including interview documentation and applications. Both the Department and its contractors experienced employee turnover in Fiscal Year 2021. Although the Department conducted monthly webinars for various training manuals, including the administrative plan, and made training materials available for future reference, new employees did not receive sufficient training to ensure the Department complied with Program requirements over the waiting list. In addition, the Department did not properly train the DOH employees on the policies and procedures for maintaining and selecting applicants from the waiting list, which ultimately led to applicants being incorrectly selected from the waiting list. Specifically, DOH did not properly update the waiting list for new applicants and addressing unused vouchers from prior selections, which caused individuals to be incorrectly selected from the waiting list. Why do these problems matter? By not maintaining the waiting list supporting documentation, including interview documentation and applications, the Department cannot ensure that all tenants are eligible or qualified to participate in the Program. The Department must ensure it maintains accurate and complete tenant files to demonstrate compliance with federal requirements. Additionally, by not training employees properly on the Department?s policies and procedures surrounding the waiting list, applicants are at risk of being improperly removed from the waiting list and not given the opportunity to receive funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-066 The Department of Local Affairs (Department) should strengthen its internal controls to ensure it complies with waiting list requirements for the federal Section 8 Housing Choice Vouchers and Mainstream Vouchers programs. Specifically, this should include the Department developing and providing a training plan for its contractors that covers all of the programs? requirements on an ongoing basis. In addition, the Department should ensure its new employees are trained and able to properly run the waiting list in accordance with the Department?s policies and procedures, which includes ensuring the waiting list is properly updated for new applicants and addressing unused vouchers prior to making waiting list selections. Response Department of Local Affairs Agree Implementation Date: February 2023 The Department of Local Affairs (Department) agrees with the recommendation. The Department will strengthen its internal controls through the development of an onboarding program that will include different modules that new employees and/or contractors must work through to receive certification. These modules will include all relevant steps associated with the waiting list process.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Local Affairs (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-066 Section 8 Housing Choice Vouchers and Mainstream Vouchers Programs?Internal Controls over the Waiting List The Department annually receives advance payments from the federal government for the Housing Voucher Programs (Program) to provide tenant-based subsidies for rent paid by low-income households. A housing subsidy is paid to the landlord directly by the Department on behalf of the Program?s participants. During Fiscal Year 2021, the Department incurred approximately $62.9 million in federal costs for the Housing Voucher Programs. Federal regulation [24 CFR 982.54] requires the Department to have an administrative plan to establish policies for carrying out the Program in a manner consistent with the U.S. Department of Housing and Urban Development (HUD) requirements and local goals and objectives. HUD requires the Division of Housing (DOH), a section within the Department, to place all families that apply for assistance on a waiting list. DOH must select families from the waiting list and maintain clear records of all information required to verify that the family is selected from the waiting list according to HUD requirements and Department policies as stated in the Department?s administrative plan [24 CFR 982.204(b) and 982.207(e)]. The DOH maintains the waiting list in an electronic database within its Public Housing Agencies (PHA) Software, called Emphasys Elite. DOH has established preferences for order of selection off of the waiting list, and gives priority or first preference (point system) to serving families that meet various criteria, including someone experiencing homelessness, a person with a disability, households that include victims of domestic violence, etc. The second preference for selecting from the waiting list is based on when DOH placed the individual on the waiting list, by date and time. HUD may also award the Department funding for a specified category of families on the waiting list (targeted funding [24 CFR 982.204(e)]). DOH must use this funding only to assist families within the specified category allowed by the targeted funding. DOH administers the following types of targeted funding: Veterans Affairs Supporting Housing (VASH), Non-Elderly Disabled, Family Unification Program, and Family Self-Sufficiency. DOH delegates some of its voucher administration responsibilities, such as application reviews and interviews with applicants, to agencies that provide housing services to applicants and participants of the Program. These agencies, or contractors, include public housing authorities, community mental health centers, community centered boards or their contract service agencies, independent living centers, the Veterans Affairs Medical Center (VAMC), homeless service providers, and others. DOH will enter into a contract with these agencies that outline each party?s responsibilities. Contractors employ housing coordinators who assist applicants and participants to complete the necessary Program documentation and understand regulations to help them acquire and maintain units that conform to Program regulations. DOH provides each contractor with vouchers to give eligible applicants. When a contractor has available vouchers, it will ask the DOH to select and issue the next name(s) from its waiting list. DOH then uses its electronic database to select individuals from the waiting list. In order for an applicant to receive the voucher, the applicant must first attend an interview with the contractor. At the interview, the contractor will determine whether the applicant is eligible based on requiring the applicant to complete a full application and provide proof of income sources, social security number, citizenship status, release of information forms, federal or state-issued picture ID, and birth certificate, as well as the contractor?s verification of those items. If it is determined at the interview that the applicant is not eligible, the voucher will be terminated in the Emphasys Elite system and the voucher can be used for the next applicant in line on the waiting list. HUD regulations require that all families have an equal opportunity to apply for and receive housing assistance [24 CFR 982.53]. DOH must also have policies regarding various aspects of organizing and managing the waiting list of applicant families. This includes opening the list to new applicants, closing the list to new applicants, notifying the public of waiting list openings and closings, updating waiting list information, and removing families that are no longer interested in or eligible for assistance from the list. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place over, and complied with, federal requirements related to the Program?s waiting list during Fiscal Year 2021. We requested and obtained a report from the Department that showed all individuals that were added to the Program during Fiscal Year 2021. We selected and tested 40 of these individuals admitted to the Program during Fiscal Year 2021 to determine if they were selected from the waiting list in accordance with the Department?s applicant selection policies. We also requested and obtained another report from the Department that showed any individuals selected from the waiting list due to reaching the top position on the waiting list during Fiscal Year 2021, regardless of whether the individuals were added or not added to the Program. From this report, we selected and tested 40 different individuals to ascertain if they were admitted to the Program or provided the opportunity to be admitted to the Program in accordance with the Department?s applicant selection policies. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [24 CFR 5.410, 982.54(d), and 982.201 through 982.207] require the Department to have written policies in its administrative plan for selecting applicants from the waiting list and documentation must show that the Department follows these policies when selecting applicants for admission from the waiting list. Selection from the waiting list generally occurs when the Department notifies a family whose name reaches the top of the waiting list to come in to verify eligibility for admission to the Program. ? The Department?s administrative plan states that when a family wishes to receive assistance under the Program, the family must submit an application that provides DOH with the information needed to determine the family?s eligibility [HCV GB, pp. 4-11 ? 4-16, Notice PIH 2009-36]. ? Federal regulation [24 CFR 982.207] requires that DOH select applicant families from the waiting list first by preference and secondly by date and time of application. ? Federal regulations [24 CFR 982.554(a)] specify that when a family has been selected from the waiting list for an application interview, DOH and/or its contractor will notify the family and the family will be required to participate in the interview. The notice must inform the family of the date, time, and location of the scheduled application interview, who is required to attend the interview, and all documents that must be provided by the family at the interview. ? Federal regulations [24 CFR 982.201(f) and 982.204(c)] establish the rules for removing Program participants from the waiting list. If at any time an applicant family is on the waiting list and DOH determines that the family is not eligible for assistance, the family will be removed from the waiting list. Federal regulations further state the family may also remove itself from the waiting list at any time by requesting removal in writing. If a family is removed from the waiting list because DOH has determined the family is not eligible for assistance, a notice must be sent to the family?s address of record as well as to any alternate address provided on the initial application. The notice must state the reasons the family was removed from the waiting list and inform the family how to request an informal review regarding DOH?s decision. ? Uniform Guidance [2 CFR 200.303] requires that the Department, as a federal grant recipient, establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. What problems did the audit work identify? During our testing of 40 individuals admitted to the Program during Fiscal Year 2021, we found that the Department could not provide appropriate support for 5 of the 40 (12.5 percent) tenant files reviewed. Specifically: ? For five individuals, the Department could not provide documentation of the eligibility interview. ? For one of those five individuals, the Department also could not locate the individual?s application. During our testing of 40 individuals that the Department selected from the waiting list due to the individuals reaching the top of the waiting list during Fiscal Year 2021, we found certain issues with 8 of the 40 (20 percent) tenant files reviewed. Specifically: ? In five instances, individuals were selected from the waiting list out of turn; therefore, they were not at the top of the waiting list when selected, as required. ? In three instances, the Department could not provide the applications for the individuals. Why did these problems occur? The Department lacked internal controls over the Program?s waiting list. Specifically, the Department is not ensuring its contractors are maintaining supporting documentation within tenant files, including interview documentation and applications. Both the Department and its contractors experienced employee turnover in Fiscal Year 2021. Although the Department conducted monthly webinars for various training manuals, including the administrative plan, and made training materials available for future reference, new employees did not receive sufficient training to ensure the Department complied with Program requirements over the waiting list. In addition, the Department did not properly train the DOH employees on the policies and procedures for maintaining and selecting applicants from the waiting list, which ultimately led to applicants being incorrectly selected from the waiting list. Specifically, DOH did not properly update the waiting list for new applicants and addressing unused vouchers from prior selections, which caused individuals to be incorrectly selected from the waiting list. Why do these problems matter? By not maintaining the waiting list supporting documentation, including interview documentation and applications, the Department cannot ensure that all tenants are eligible or qualified to participate in the Program. The Department must ensure it maintains accurate and complete tenant files to demonstrate compliance with federal requirements. Additionally, by not training employees properly on the Department?s policies and procedures surrounding the waiting list, applicants are at risk of being improperly removed from the waiting list and not given the opportunity to receive funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-066 The Department of Local Affairs (Department) should strengthen its internal controls to ensure it complies with waiting list requirements for the federal Section 8 Housing Choice Vouchers and Mainstream Vouchers programs. Specifically, this should include the Department developing and providing a training plan for its contractors that covers all of the programs? requirements on an ongoing basis. In addition, the Department should ensure its new employees are trained and able to properly run the waiting list in accordance with the Department?s policies and procedures, which includes ensuring the waiting list is properly updated for new applicants and addressing unused vouchers prior to making waiting list selections. Response Department of Local Affairs Agree Implementation Date: February 2023 The Department of Local Affairs (Department) agrees with the recommendation. The Department will strengthen its internal controls through the development of an onboarding program that will include different modules that new employees and/or contractors must work through to receive certification. These modules will include all relevant steps associated with the waiting list process.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-071 Federal Funding Accountability and Transparency Act The Department is responsible for administering two programs as part of the Employment Service Cluster: Employment Service/Wagner Peyser Funded Activities (Wagner) [ALN 17.207], and Jobs for Veterans State Grant (JSVG) [ALN 17.801]. The main overall purpose of these programs is to improve the functioning of the nation's labor markets by bringing together individuals who are seeking employment and employers who are seeking workers. The Wagner program provides a variety of services to job seekers, including career services and job search assistances; in addition, employers can access the program to post job orders and obtain qualified applicants. The JSVG provides federal funding through a formula grant to State Workforce Agencies (SWAs), including the Department, to hire dedicated staff to provide individualized career and training-related service to veterans and eligible individuals with significant barriers to employment, and to assist employers in filling their workforce needs with job-seeking veterans. The Department administers the programs and also passes Employment Service Cluster funds through to Colorado counties so they can help provide these services to individuals. The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for both programs within the Employment Service Cluster. The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In accordance with the Transparency Act, the Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? In Fiscal Year 2022, the Department made 11 subawards to 10 Colorado counties (subrecipients) for the Employment Service Cluster, $11.2 million in subawards to 10 counties for Wagner, and $45,116 in subawards to one county for JVSG, totaling $11.3 million. The Department is required to submit FFATA information through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Employment Service Cluster programs during Fiscal Year 2022. As part of our audit work, we requested the Department?s policies and procedures over FFATA reporting, the FFATA reports submitted by the Department in Fiscal Year 2022, and a list of all subawards made by the Department during Fiscal Year 2022. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170.330.l(a)], the Department is required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. What problem did the audit work identify? Based on our audit work, we determined that the Department did not comply with FFATA reporting requirements for the Employment Cluster and did not report any subawards in FSRS for Fiscal Year 2022. Specifically, we determined that the Department did not report $11.21 million in subawards to 10 subrecipients (the counties) for Wagner, and $45,116 in subawards to one county for JVSG. The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did this problem occur? The Department was not aware of the FFATA reporting requirement because it did not review the federal grant agreements to determine that the requirement was applicable for the program. Why does this problem matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, it fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-071 The Department of Labor and Employment should implement appropriate internal controls and related processes, such as detailed reviews of federal grant agreements, over the Employment Service Cluster to ensure that it is aware of, and in compliance with all federal reporting requirements, including requirements under the Federal Funding Accountability and Transparency Act of 2006. Response Department of Labor and Employment Agree Implementation Date: February 2023 By the implementation date, the Department of Labor and Employment (CDLE) will complete a review of grant agreements for reporting requirements, including the Federal Funding Accountability and Transparency Act of 2006. By the implementation date, the CDLE will develop and implement appropriate controls and processes to come into compliance with the reporting requirements and submit FFATA reports for the 10 entities identified in the audit.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-071 Federal Funding Accountability and Transparency Act The Department is responsible for administering two programs as part of the Employment Service Cluster: Employment Service/Wagner Peyser Funded Activities (Wagner) [ALN 17.207], and Jobs for Veterans State Grant (JSVG) [ALN 17.801]. The main overall purpose of these programs is to improve the functioning of the nation's labor markets by bringing together individuals who are seeking employment and employers who are seeking workers. The Wagner program provides a variety of services to job seekers, including career services and job search assistances; in addition, employers can access the program to post job orders and obtain qualified applicants. The JSVG provides federal funding through a formula grant to State Workforce Agencies (SWAs), including the Department, to hire dedicated staff to provide individualized career and training-related service to veterans and eligible individuals with significant barriers to employment, and to assist employers in filling their workforce needs with job-seeking veterans. The Department administers the programs and also passes Employment Service Cluster funds through to Colorado counties so they can help provide these services to individuals. The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for both programs within the Employment Service Cluster. The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In accordance with the Transparency Act, the Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? In Fiscal Year 2022, the Department made 11 subawards to 10 Colorado counties (subrecipients) for the Employment Service Cluster, $11.2 million in subawards to 10 counties for Wagner, and $45,116 in subawards to one county for JVSG, totaling $11.3 million. The Department is required to submit FFATA information through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Employment Service Cluster programs during Fiscal Year 2022. As part of our audit work, we requested the Department?s policies and procedures over FFATA reporting, the FFATA reports submitted by the Department in Fiscal Year 2022, and a list of all subawards made by the Department during Fiscal Year 2022. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170.330.l(a)], the Department is required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. What problem did the audit work identify? Based on our audit work, we determined that the Department did not comply with FFATA reporting requirements for the Employment Cluster and did not report any subawards in FSRS for Fiscal Year 2022. Specifically, we determined that the Department did not report $11.21 million in subawards to 10 subrecipients (the counties) for Wagner, and $45,116 in subawards to one county for JVSG. The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did this problem occur? The Department was not aware of the FFATA reporting requirement because it did not review the federal grant agreements to determine that the requirement was applicable for the program. Why does this problem matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, it fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-071 The Department of Labor and Employment should implement appropriate internal controls and related processes, such as detailed reviews of federal grant agreements, over the Employment Service Cluster to ensure that it is aware of, and in compliance with all federal reporting requirements, including requirements under the Federal Funding Accountability and Transparency Act of 2006. Response Department of Labor and Employment Agree Implementation Date: February 2023 By the implementation date, the Department of Labor and Employment (CDLE) will complete a review of grant agreements for reporting requirements, including the Federal Funding Accountability and Transparency Act of 2006. By the implementation date, the CDLE will develop and implement appropriate controls and processes to come into compliance with the reporting requirements and submit FFATA reports for the 10 entities identified in the audit.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-071 Federal Funding Accountability and Transparency Act The Department is responsible for administering two programs as part of the Employment Service Cluster: Employment Service/Wagner Peyser Funded Activities (Wagner) [ALN 17.207], and Jobs for Veterans State Grant (JSVG) [ALN 17.801]. The main overall purpose of these programs is to improve the functioning of the nation's labor markets by bringing together individuals who are seeking employment and employers who are seeking workers. The Wagner program provides a variety of services to job seekers, including career services and job search assistances; in addition, employers can access the program to post job orders and obtain qualified applicants. The JSVG provides federal funding through a formula grant to State Workforce Agencies (SWAs), including the Department, to hire dedicated staff to provide individualized career and training-related service to veterans and eligible individuals with significant barriers to employment, and to assist employers in filling their workforce needs with job-seeking veterans. The Department administers the programs and also passes Employment Service Cluster funds through to Colorado counties so they can help provide these services to individuals. The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for both programs within the Employment Service Cluster. The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In accordance with the Transparency Act, the Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? In Fiscal Year 2022, the Department made 11 subawards to 10 Colorado counties (subrecipients) for the Employment Service Cluster, $11.2 million in subawards to 10 counties for Wagner, and $45,116 in subawards to one county for JVSG, totaling $11.3 million. The Department is required to submit FFATA information through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Employment Service Cluster programs during Fiscal Year 2022. As part of our audit work, we requested the Department?s policies and procedures over FFATA reporting, the FFATA reports submitted by the Department in Fiscal Year 2022, and a list of all subawards made by the Department during Fiscal Year 2022. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170.330.l(a)], the Department is required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. What problem did the audit work identify? Based on our audit work, we determined that the Department did not comply with FFATA reporting requirements for the Employment Cluster and did not report any subawards in FSRS for Fiscal Year 2022. Specifically, we determined that the Department did not report $11.21 million in subawards to 10 subrecipients (the counties) for Wagner, and $45,116 in subawards to one county for JVSG. The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did this problem occur? The Department was not aware of the FFATA reporting requirement because it did not review the federal grant agreements to determine that the requirement was applicable for the program. Why does this problem matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, it fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-071 The Department of Labor and Employment should implement appropriate internal controls and related processes, such as detailed reviews of federal grant agreements, over the Employment Service Cluster to ensure that it is aware of, and in compliance with all federal reporting requirements, including requirements under the Federal Funding Accountability and Transparency Act of 2006. Response Department of Labor and Employment Agree Implementation Date: February 2023 By the implementation date, the Department of Labor and Employment (CDLE) will complete a review of grant agreements for reporting requirements, including the Federal Funding Accountability and Transparency Act of 2006. By the implementation date, the CDLE will develop and implement appropriate controls and processes to come into compliance with the reporting requirements and submit FFATA reports for the 10 entities identified in the audit.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-071 Federal Funding Accountability and Transparency Act The Department is responsible for administering two programs as part of the Employment Service Cluster: Employment Service/Wagner Peyser Funded Activities (Wagner) [ALN 17.207], and Jobs for Veterans State Grant (JSVG) [ALN 17.801]. The main overall purpose of these programs is to improve the functioning of the nation's labor markets by bringing together individuals who are seeking employment and employers who are seeking workers. The Wagner program provides a variety of services to job seekers, including career services and job search assistances; in addition, employers can access the program to post job orders and obtain qualified applicants. The JSVG provides federal funding through a formula grant to State Workforce Agencies (SWAs), including the Department, to hire dedicated staff to provide individualized career and training-related service to veterans and eligible individuals with significant barriers to employment, and to assist employers in filling their workforce needs with job-seeking veterans. The Department administers the programs and also passes Employment Service Cluster funds through to Colorado counties so they can help provide these services to individuals. The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for both programs within the Employment Service Cluster. The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In accordance with the Transparency Act, the Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? In Fiscal Year 2022, the Department made 11 subawards to 10 Colorado counties (subrecipients) for the Employment Service Cluster, $11.2 million in subawards to 10 counties for Wagner, and $45,116 in subawards to one county for JVSG, totaling $11.3 million. The Department is required to submit FFATA information through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Employment Service Cluster programs during Fiscal Year 2022. As part of our audit work, we requested the Department?s policies and procedures over FFATA reporting, the FFATA reports submitted by the Department in Fiscal Year 2022, and a list of all subawards made by the Department during Fiscal Year 2022. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170.330.l(a)], the Department is required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. What problem did the audit work identify? Based on our audit work, we determined that the Department did not comply with FFATA reporting requirements for the Employment Cluster and did not report any subawards in FSRS for Fiscal Year 2022. Specifically, we determined that the Department did not report $11.21 million in subawards to 10 subrecipients (the counties) for Wagner, and $45,116 in subawards to one county for JVSG. The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did this problem occur? The Department was not aware of the FFATA reporting requirement because it did not review the federal grant agreements to determine that the requirement was applicable for the program. Why does this problem matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, it fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-071 The Department of Labor and Employment should implement appropriate internal controls and related processes, such as detailed reviews of federal grant agreements, over the Employment Service Cluster to ensure that it is aware of, and in compliance with all federal reporting requirements, including requirements under the Federal Funding Accountability and Transparency Act of 2006. Response Department of Labor and Employment Agree Implementation Date: February 2023 By the implementation date, the Department of Labor and Employment (CDLE) will complete a review of grant agreements for reporting requirements, including the Federal Funding Accountability and Transparency Act of 2006. By the implementation date, the CDLE will develop and implement appropriate controls and processes to come into compliance with the reporting requirements and submit FFATA reports for the 10 entities identified in the audit.
Finding 2022-070 Unemployment Insurance Program Integrity Fraud Holds The Department?s UI Division is responsible for the administration and monitoring of Colorado?s UI programs, including the collection of unemployment premiums from employers, the payment of UI benefits to claimants, and the performance of audits and investigations of premiums and benefits to ensure they are properly paid. Employer-paid premiums are the primary source of funding for UI benefits. When an individual applies for UI benefits, they are called a claimant, and the application is called a claim. Each claimant creates an account in MyUI+, the Department?s unemployment benefit system, in order to apply for unemployment benefits. The Department reviews, or adjudicates, claims to ensure that claimants are eligible and entitled to receive UI benefits. As part of the adjudication process, wage checks for claimants are compared to employer reported wages submitted to the Department on a quarterly basis and the Department sends a notification to all employers that the claimant worked for within the last 18 months to determine the validity and reason for the claimant leaving the workplace. In addition, Department staff indicate that, on a weekly basis, they perform reviews to identify potential issues with a claimant?s ability and availability to work, and to determine whether the claimant is accurately reporting earned income. If information provided by an interested party, such as a former employer, relating to the reason for leaving the workforce does not agree to the claimant information, the Department follows up on the information and issues eligibility determinations, as appropriate. In Fiscal Year 2022, the Department paid $1.1 billion in UI benefits. The Department has processes and systems to detect and prevent identity theft related to UI benefits. For example, when the Department identifies a claim with characteristics that are indicators of fraud, it places a fraud hold (also known as a program integrity hold) on the claimant?s UI claim, which holds the claim for investigation and which prevents any future benefit payments to the claimant until the fraud hold is removed and eligibility is determined. For each fraud hold, the Department has to determine if the identity of the individual filing the claim matches the personally identifiable information used on the claim. Once that is verified, the Department then must verify that the individual did not make any false statements in order to establish program eligibility. The steps that the Department takes to resolve a fraud hold differ depending on the characteristics of the claim that caused the Department to question its legitimacy. If Department staff determine that the fraud hold was not legitimate, the Department clears the hold in MyUI+ and then proceeds with determining if the individual is eligible to receive UI benefits. The Department uses an automated system, called ID.me, as part of its identity verification process. ID.me is a federally-certified identity provider that assists the Department in verifying claimants? identity. In some instances, MyUI+ will clear the fraud hold if the claimant passes ID.me and the claim does not need further investigation. In other cases, the Department performs an investigation to determine if the fraud hold is legitimate, or if the hold was placed in error. According to the information in MyUI+, the Department cleared 54,047 fraud holds during Fiscal Year 2022 ? 44,936 were cleared through the ID.me process, and 9,111 were cleared by the Department. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls in place over fraud holds during Fiscal Year 2022, including whether only appropriate, authorized individuals cleared the fraud hold from MyUI+, and if the Department had adequate segregation of duties between staff investigating a fraud hold, and staff releasing the hold in MyUI+. As part of our audit work, we requested the Department?s policies and procedures for their investigation process and documentation used to support the Department?s investigations that resulted in clearing a fraud hold, and inquired how the Department determined who is authorized to release fraud holds from MyUI+. The Department?s documentation included case reports for the investigations and log notes from Salesforce, the Department?s software that is primarily used as a workflow management tool and documentation repository for UI claims requiring an investigation. We selected a sample of 60 of the 9,111 fraud holds that were cleared by the Department during Fiscal Year 2022 to determine if the Department performed an investigation prior to releasing the fraud hold in MyUI+. In addition, as part of our testing of the sample, we determined that 20 different Department staff cleared the 60 fraud holds in MyUI+; we performed testing to determine if those staff were authorized to clear the holds in MyUI+. How were the results of the audit work measured? We measured the results of our audit against the following: Section 7511, Part V, of the Employment Security Manual (ESM) requires state UI laws to include provisions for such methods of administration as are, within reason, calculated (1) to detect benefits paid through error by the state UI agency or through willful misrepresentation or error by the claimant or others, (2) to deter claimants from obtaining benefits through willful misrepresentation, and (3) to recover benefits overpaid under certain circumstances. These required functions are accomplished through designated staff responsible for promoting and maintaining the integrity of the UI program through prevention, detection, investigations, establishment, and recovery of overpayments. Designated staff also prepare cases for prosecution. The Department?s UI Investigation Procedures state that if Department staff determine that a fraud hold that they are investigating can be released in MyUI+, Department staff should write an event log note in Salesforce. Information security is the practice of protecting information by mitigating information risk. ISO 27001 Standard for Information Security Management Systems is the international standard for information security, and its best practice approach helps organizations manage their information security by addressing people, processes, and technology. User-access management has the following objectives: ? Ensure authorized user access ? Prevent unauthorized access to information systems Expanding on the objectives from ISO 27001, a broad set of business-level objectives for user-access management can be defined as follows: ? Allow only authorized users to have access to information and resources ? Restrict access to the least privileges required by these authorized users to fulfill their business role The federal Social Security Act [Section 303(a)(1), SSA], contains a merit-based system requirement for the UI program. Specifically, this section requires that, as a condition of receiving federal UI administrative grants, states must have laws that include ?provision for such methods of administration? that includes a merit system. A merit system is defined as the process of promoting and hiring government employees based on their ability to perform a job, rather than on their political connections. As part of this requirement, any position which involves the determination of whether or not a UI claimant will be paid, or which involves determining an employer's liability for contributions, must be ?merit staffed.? According to federal regulations [5 CFR 900.603, Standards For a Merit System of Personnel Administration], ?The quality of public service can be improved by the development of systems of personnel administration consistent with such merit principles as - (a) Recruiting, selecting, and advancing employees on the basis of their relative ability, knowledge, and skills, including open consideration of qualified applicants for initial appointment. (b) Providing equitable and adequate compensation. (c) Training employees, as needed, to assure high quality performance. (d) Retaining employees on the basis of the adequacy of their performance, correcting inadequate performance, and separating employees whose inadequate performance cannot be corrected?? The U. S. Department of Labor Unemployment Insurance Program Letter (UIPL) No. 12-01, states that only those employees considered as merit-staff can determine whether to pay or deny payment to a claim. Additionally, UIPL No. 12-01 Change 2 states that, ?Determinations of overpayments or fraud must be made by merit-staffed employees.? The Department?s SPP 1053 Code of Conduct, Ethics and Values Policy, Attachment A: Unemployment Insurance Ethics Policy states that employees are not permitted to do the following: ? Investigate or attempt to investigate suspected fraud unless it is within their assigned duties. ? Backdate a claim, transfer claim status retroactively (UI to UCFE, UCX to TRA, etc.), alter information provided by a claimant or employer, or change or defer a UI document due date without valid documentation or approval of the appropriate branch chief or UI Director. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 10.01 of the Green Book, the Department should design control activities to achieve objectives and respond to risks. Segregation of duties contribute to the design, implementation, and operating effectiveness of control activities. Under Paragraph 10.03 of the Green Book, the Department should divide or segregate key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets so that no one individual controls all key aspects of a transaction or event. What problems did the audit work identify? The Department did not comply with federal regulations or its own policies and procedures related to the clearing of fraud holds during Fiscal Year 2022. Specifically, we identified issues with 32 of the 60 (53 percent) fraud holds we tested, as follows: ? The Department cleared 12 of the 60 fraud holds tested (20 percent) without performing an investigation or providing evidence of the reasoning used to clear the hold. Specifically, when we asked for investigation documentation for the 12 fraud holds, the Department indicated these were cleared without an investigation, and there were no related log notes in Salesforce, as required. ? For 20 of the 48 cases in our sample (42 percent) for which the Department did conduct an investigation, it did not segregate the duty of investigating the fraud hold and clearing the fraud hold from MyUI+. Specifically, in these cases, only one person conducted the investigation, concluded on the investigation, and cleared the fraud hold in MyUI+. ? One of the 20 Department staff who cleared a portion (5 percent) of the 60 fraud holds we sampled was not authorized to clear fraud holds from MyUI+ because the individual was not considered to be merit-staffed. Further, this unauthorized individual cleared 11 of 12 fraud holds we identified above that did not have an investigation, as required. We also found that this individual cleared an additional 55 fraud holds outside of our sample during Fiscal Year 2022. Why did these problems occur? The Department did not have sufficient internal controls in place, including appropriate policies and procedures, to ensure it enforced compliance with federal and Department-level requirements regarding the clearing of UI fraud holds during Fiscal Year 2022, as follows: ? The Department did not ensure that all fraud hold claims cleared in MyUI+ had a related log note in Salesforce that explained the rationale for clearing the hold, or that there was an investigation performed over the fraud hold prior to it being cleared in MyUI+. Specifically, in 11 of the 12 instances, the Department?s controls failed to prevent non-merit staff from using their MyUI+ access inappropriately, and in the other instance, Department controls failed to ensure the UI claim was reviewed by the UI section that reviews fraud holds rather than the UI section that resolves non-fraud UI claims. The Department provided full, rather than read-only access to the non-merit, Executive Director?s Office?s staff member noted in our finding. UI management indicated that they gave the individual full access to MyUI+ during the height of the pandemic with the assumption that the individual would use such access in a read-only manner solely to review claim information for inquiries coming through the Executive Director's Office. According to UI Division leadership, after they identified that the individual had full access during Fiscal Year 2022, they changed the individual?s access to read-only in January 2022. ? The Department lacked policies regarding management override of controls related to the clearing of fraud holds, in order to prevent or appropriately manage those responsibilities. UI staff indicated that in some cases, the non-merit, Executive Director?s Office?s staff member noted in our finding would reach out to other staff within the UI Division to help escalate the MyUI+ fraud hold clearing process. In some of these instances, because of the position of the individual within the Executive Director?s Office, UI staff circumvented the normal escalation process and aided the individual with clearing the fraud hold. ? The Department?s current policies and procedures do not require segregation of duties between those staff who investigate a fraud hold, and those staff who remove the fraud hold in MyUI+. Why do these problems matter? Improper segregation of duties, including the separation of responsibilities for both investigating and clearing potential fraud holds, leaves the UI program vulnerable to fraudulent activity. Specifically, fraud risk increases if there is no segregation between the investigation and the actual clearing of the fraud hold from MyUI+ and, as a result, the same staff could inappropriately clear holds and initiate UI payments. Further, a lack of strong checks and balances within the UI program could erode the integrity of the program at large, ultimately negatively impacting public trust. Strong internal controls related to UI fraud are especially important given the large amount of funds that are paid by the Department for UI claims each year and the significant amount of fraudulent claims that are paid by the Department. For example, the Department recorded an estimated receivable for amounts due back to the Department of $45 million for fraudulently-obtained UI claims at June 30, 2022. Without strengthening its controls over UI claims and fraud holds, there is a risk that a significant amount of UI funds could continue to be paid out each year for fraudulently obtained UI claims. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-070 The Department of Labor and Employment (Department) should strengthen its internal controls over Unemployment Insurance (UI) program integrity holds by: A. Ensuring all fraud holds are properly investigated and documented with a log note in Salesforce that explains the rationale for releasing the claim, prior to releasing the claim in MyUI+. B. Adequately reviewing claims for a fraud indicator to ensure the hold is sent to the appropriate UI section for resolution. C. Ensuring Department staff are given the appropriate access in MyUI+ to prevent individuals from clearing fraud holds inappropriately and periodically monitoring access to ensure access levels remain appropriate. D. Instituting policies and procedures over management override of internal controls related to UI claims and providing staff training on those policies and procedures. This should include ensuring that UI staff are aware of the importance of following all procedures related to fraud holds and that any inappropriate requests or pressures are communicated through the appropriate channels. E. Updating its current policies and procedures to require segregation of duties between the investigation of a fraud hold and the release of a fraud hold in MyUI+ to ensure more than one person is involved in the fraud hold process from beginning to end. Response Department of Labor and Employment A. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department is moving all adjudication and investigation of program integrity holds into the MyUI+ system, so there will be one system of record. The Department will ensure that all program integrity holds have all documentation through adjudication and investigation, including log notes. The Department anticipates this to be fully implemented by July 2024. B. Agree Implementation Date: July 2024 The Department agrees with this finding. The department has modified processes to ensure all holds are only routed to the appropriate team to be adjudicated. In addition the Department is working to have all claims identified as fraud delivered in a workflow process in MyUI+ rather than the various processes in place now. Further the department is working with our MyUI+ system experts to implement new technology to strengthen and streamline the fraud indicator escalation process and systems within MyUI+. In working with our MyUI+ system experts, the Department anticipates this to be fully implemented by July 2024. C. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department will continue strengthening security in this area and internal procedures to periodically monitor the potential for internal fraud activities. Additionally, the Department will periodically monitor and review My UI+ access levels for appropriateness. In consultation with our MyUI+ systems experts, the Department anticipates this finding to be fully implemented by July 2024. D. Agree Implementation Date: July 2023 The Department agrees with this finding. The Department will reinforce and strengthen the ethics policies in yearly communication to staff and tighten escalation policies to ensure pressures and inappropriate requests are handled in accordance with guidelines. The Department anticipates this will be completed by July 2023. E. Disagree When a PI hold is identified as being highly suspicious for criminally fraudulent activity, it is routed to a specialized unit for review, thereby leaving the standard adjudication process. This is handled by passing the review to the UI Investigations and/or Criminal Enforcement (ICE) unit. The investigator performs their investigation and if no actual fraudulent activity is found they will release the hold. The UI Division also performs several quality control reviews of claims and claim decisions via Benefits Payment Control (BPC), Benefits Accuracy Measurements (BAM), Benefits Timeliness and Quality (BTQ), and internal Quality Assurance (QA) reviews. Claims are reviewed for such criteria as adequate support documentation, benefit payment accuracy, timely processing, and correct claim decision determination on all program integrity holds. The Green Book states in Section 10.14, ? If segregation of duties is not practical within an operational process because of limited personnel or other factors, management designs alternative control activities to address the risk of fraud, waste, or abuse in the operational process.? CDLE believes the reviews represent adequate and sufficient compensating controls for the need for segregation of duties on fraud holds. Changing the current process would hinder our ability to deliver UI benefit services timely to our customers and would put us in jeopardy of fulfilling our federal and state payment timeliness requirements. Auditor?s Addendum Segregating the duties between investigating and releasing a fraud hold in MyUI+ reduces the risk of an employee inappropriately and potentially fraudulently clearing the hold without conducting a proper investigation. The issues identified in our audit indicate that the Department?s current compensating controls did not identify that a current employee released fraud holds without a proper investigation. The Department should consider updating its procedures and processes to segregate these duties to reduce the risk of this occurring in the future.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Labor and Employment (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-063 Unemployment Insurance?Federal Reporting The Department?s Accounting Section is responsible for completing the following two federal financial reports for the UI program and ensuring the reports are accurate, complete, and submitted to the federal government by the required deadline. The Accounting Section uses bank statements and reports from the Colorado Operations Resource Engine (CORE), the State?s accounting system, to create a workbook with the information and uses that workbook to complete the reports. ? ETA 9130, Financial Status Report, UI Programs. This is a quarterly report used to report the Department?s UI program and administrative expenditures. Financial data is required to be reported cumulatively from grant inception through the end of the reporting period. ? ETA 2112, UI Financial Transaction Summary. This is a monthly report that is a summary of the UI program?s transactions, which account for all funds received in, passed through, or paid out of the state employment fund during the applicable month. The UI division is responsible for completing the following federal report for the UI program and ensuring the report is accurate, complete, and submitted to the federal government by the required timeline. The UI division uses data pulled from MyUI+, the UI claims and benefits system, to generate two reports to fill out the ETA 191 report, described as follows. ? ETA 191, Financial Status of UCFE/UCX. This is a quarterly report on the State?s unemployment compensation expenditures paid by the Department to former federal employees (UCFE) and ex-service members (UCX) who have filed with the Department for unemployment benefits, and total amount of benefits paid to claimants of specific federal agencies. The federal government uses this report to request reimbursement of UCFE and UCX benefit payments from federal and military agencies. The federal government reimburses the Department for these benefit payments. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls in place over and complied with federal reporting requirements for the UI program during Fiscal Year 2021. As part of our audit work, we gained an understanding of the Department?s procedures that were in place to prepare the federal reports. In addition, we reviewed four ETA 2112 reports and two ETA 191 reports submitted to the federal government for Fiscal Year 2021 to ensure they were accurate, complete, and submitted by the required deadline. We also requested the Department?s policies and procedures for completing the reports, as well as the Department?s supporting documentation for the reports. How were the results of the audit work measured? We measured the results of our audit against the following: In accordance with Uniform Guidance [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and terms and conditions of the federal award. In accordance with the OSC?s policy Internal Control System, state agencies shall use the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, as its framework for its system of internal control. Green Book, Paragraph OV4.08, Documentation Requirements, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. Green Book Paragraph 12.02, Documentation of Responsibilities through Policies, specifically indicates that management should document in their policies the internal control responsibilities of the organization. The U.S. Department of Labor Unemployment Insurance Handbook 401 (Handbook) states that the ETA 2112 is due the first day of the second month following the month that the data in the report represents. In addition, the Handbook states that the ETA 191 is due by the 25th of the month following the close of the quarter. What problems did the audit work identify? We identified issues with 2 of the 4 (50 percent) ETA 2112 reports we tested, and 1 of the 2 (50 percent) ETA 191 reports we tested. Specifically, we identified the following: ETA 2112. We identified four issues with the September 2020 report, as follows: ? The Department could not provide support for $50.6 million reported as federal tax withholding on the report. ? The Department could not provide documentation related to the FPUC deposits and disbursements reported on the report. Specifically, the Department reported FPUC deposits as $27.0 million and FPUC Disbursements as $28.4 million. Because the Department could not provide documentation, we could not determine the correct amounts that should have been reported. ? The Department overstated the deposit amount for the intra-account transfer line by $240.2 million. Specifically, the Department reported that the amount deposited during the month for the intra-account transfers was $378.1 million, but the supporting documentation we reviewed showed the deposits totaled $137.9 million. ? The Department submitted the report on November 5, 2020, or 3 days after the deadline of November 2, 2020. In the February 2021 report, we identified that the Department understated reimbursement benefits from nonprofits by $540,000, reimbursements from local governments by $1.1 million; and reimbursements from state government by $204,700. Finally, based on discussion with the Department, it does not protect the formulas in its ETA 2112 workbooks it uses to prepare the reports in order to prevent intentional or inadvertent changes to calculations. ETA 191. We identified two issues with the ETA 191 report for the quarter ended March 2021 report. First, the Department failed to appropriately correct a federal Department of Labor-identified error from the previous quarter for expenditures for military agencies. Specifically, the Department incorrectly adjusted the $1,089,761, by $2,100, which was an under correction of the error of $2,120. Second, the Department submitted the report on May 14, 2021, nearly a month after the April 16, 2021, deadline. Why did these problems occur? The Department did not have sufficient internal controls in place to ensure that the federal reports and associated documentation were accurate and complete during Fiscal Year 2021. Specifically, the Department does not have formal, documented policies for completing the reports or a requirement that the workbooks are protected. Although the Department has a procedure document that provides instructions on how to complete the federal reports, the procedures do not include a requirement for a supervisory review of these reports prior to submitting them to the federal government. Some of the errors we identified were due to the wrong information being input into the reports, which a review could have caught and corrected prior to the Department submitting the report to the federal government. Why do these problems matter? Strong internal controls over federal reporting, including formal, documented policies, protection of formulas in the workbooks used to prepare the reports to prevent intentional or inadvertent changes to calculations, and adequate supervisory review, are necessary to ensure that the Department is in compliance with federal reporting requirements. Errors in the federal reports could cause the users of these reports to rely on incorrect information. This could have a negative impact on the Department?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-063 The Department of Labor and Employment should strengthen its internal controls over federal reporting by developing, formally documenting, and implementing policies for completing its federal reports for the Unemployment Insurance program. These policies should require the workbooks used to prepare the reports to be protected and that a supervisory review occurs prior to submitting the reports to the federal government. Response Department of Labor and Employment Agree Implementation Date: March 2023 CDLE will continue to develop, formally document, and implement policies for completing its federal reports for the Unemployment Insurance program. These policies will require the workbooks used to prepare the reports to be protected, for the data to be substantiated, and will require supervisory review on a monthly basis prior to submitting the reports to the federal government.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-070 Unemployment Insurance Program Integrity Fraud Holds The Department?s UI Division is responsible for the administration and monitoring of Colorado?s UI programs, including the collection of unemployment premiums from employers, the payment of UI benefits to claimants, and the performance of audits and investigations of premiums and benefits to ensure they are properly paid. Employer-paid premiums are the primary source of funding for UI benefits. When an individual applies for UI benefits, they are called a claimant, and the application is called a claim. Each claimant creates an account in MyUI+, the Department?s unemployment benefit system, in order to apply for unemployment benefits. The Department reviews, or adjudicates, claims to ensure that claimants are eligible and entitled to receive UI benefits. As part of the adjudication process, wage checks for claimants are compared to employer reported wages submitted to the Department on a quarterly basis and the Department sends a notification to all employers that the claimant worked for within the last 18 months to determine the validity and reason for the claimant leaving the workplace. In addition, Department staff indicate that, on a weekly basis, they perform reviews to identify potential issues with a claimant?s ability and availability to work, and to determine whether the claimant is accurately reporting earned income. If information provided by an interested party, such as a former employer, relating to the reason for leaving the workforce does not agree to the claimant information, the Department follows up on the information and issues eligibility determinations, as appropriate. In Fiscal Year 2022, the Department paid $1.1 billion in UI benefits. The Department has processes and systems to detect and prevent identity theft related to UI benefits. For example, when the Department identifies a claim with characteristics that are indicators of fraud, it places a fraud hold (also known as a program integrity hold) on the claimant?s UI claim, which holds the claim for investigation and which prevents any future benefit payments to the claimant until the fraud hold is removed and eligibility is determined. For each fraud hold, the Department has to determine if the identity of the individual filing the claim matches the personally identifiable information used on the claim. Once that is verified, the Department then must verify that the individual did not make any false statements in order to establish program eligibility. The steps that the Department takes to resolve a fraud hold differ depending on the characteristics of the claim that caused the Department to question its legitimacy. If Department staff determine that the fraud hold was not legitimate, the Department clears the hold in MyUI+ and then proceeds with determining if the individual is eligible to receive UI benefits. The Department uses an automated system, called ID.me, as part of its identity verification process. ID.me is a federally-certified identity provider that assists the Department in verifying claimants? identity. In some instances, MyUI+ will clear the fraud hold if the claimant passes ID.me and the claim does not need further investigation. In other cases, the Department performs an investigation to determine if the fraud hold is legitimate, or if the hold was placed in error. According to the information in MyUI+, the Department cleared 54,047 fraud holds during Fiscal Year 2022 ? 44,936 were cleared through the ID.me process, and 9,111 were cleared by the Department. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls in place over fraud holds during Fiscal Year 2022, including whether only appropriate, authorized individuals cleared the fraud hold from MyUI+, and if the Department had adequate segregation of duties between staff investigating a fraud hold, and staff releasing the hold in MyUI+. As part of our audit work, we requested the Department?s policies and procedures for their investigation process and documentation used to support the Department?s investigations that resulted in clearing a fraud hold, and inquired how the Department determined who is authorized to release fraud holds from MyUI+. The Department?s documentation included case reports for the investigations and log notes from Salesforce, the Department?s software that is primarily used as a workflow management tool and documentation repository for UI claims requiring an investigation. We selected a sample of 60 of the 9,111 fraud holds that were cleared by the Department during Fiscal Year 2022 to determine if the Department performed an investigation prior to releasing the fraud hold in MyUI+. In addition, as part of our testing of the sample, we determined that 20 different Department staff cleared the 60 fraud holds in MyUI+; we performed testing to determine if those staff were authorized to clear the holds in MyUI+. How were the results of the audit work measured? We measured the results of our audit against the following: Section 7511, Part V, of the Employment Security Manual (ESM) requires state UI laws to include provisions for such methods of administration as are, within reason, calculated (1) to detect benefits paid through error by the state UI agency or through willful misrepresentation or error by the claimant or others, (2) to deter claimants from obtaining benefits through willful misrepresentation, and (3) to recover benefits overpaid under certain circumstances. These required functions are accomplished through designated staff responsible for promoting and maintaining the integrity of the UI program through prevention, detection, investigations, establishment, and recovery of overpayments. Designated staff also prepare cases for prosecution. The Department?s UI Investigation Procedures state that if Department staff determine that a fraud hold that they are investigating can be released in MyUI+, Department staff should write an event log note in Salesforce. Information security is the practice of protecting information by mitigating information risk. ISO 27001 Standard for Information Security Management Systems is the international standard for information security, and its best practice approach helps organizations manage their information security by addressing people, processes, and technology. User-access management has the following objectives: ? Ensure authorized user access ? Prevent unauthorized access to information systems Expanding on the objectives from ISO 27001, a broad set of business-level objectives for user-access management can be defined as follows: ? Allow only authorized users to have access to information and resources ? Restrict access to the least privileges required by these authorized users to fulfill their business role The federal Social Security Act [Section 303(a)(1), SSA], contains a merit-based system requirement for the UI program. Specifically, this section requires that, as a condition of receiving federal UI administrative grants, states must have laws that include ?provision for such methods of administration? that includes a merit system. A merit system is defined as the process of promoting and hiring government employees based on their ability to perform a job, rather than on their political connections. As part of this requirement, any position which involves the determination of whether or not a UI claimant will be paid, or which involves determining an employer's liability for contributions, must be ?merit staffed.? According to federal regulations [5 CFR 900.603, Standards For a Merit System of Personnel Administration], ?The quality of public service can be improved by the development of systems of personnel administration consistent with such merit principles as - (a) Recruiting, selecting, and advancing employees on the basis of their relative ability, knowledge, and skills, including open consideration of qualified applicants for initial appointment. (b) Providing equitable and adequate compensation. (c) Training employees, as needed, to assure high quality performance. (d) Retaining employees on the basis of the adequacy of their performance, correcting inadequate performance, and separating employees whose inadequate performance cannot be corrected?? The U. S. Department of Labor Unemployment Insurance Program Letter (UIPL) No. 12-01, states that only those employees considered as merit-staff can determine whether to pay or deny payment to a claim. Additionally, UIPL No. 12-01 Change 2 states that, ?Determinations of overpayments or fraud must be made by merit-staffed employees.? The Department?s SPP 1053 Code of Conduct, Ethics and Values Policy, Attachment A: Unemployment Insurance Ethics Policy states that employees are not permitted to do the following: ? Investigate or attempt to investigate suspected fraud unless it is within their assigned duties. ? Backdate a claim, transfer claim status retroactively (UI to UCFE, UCX to TRA, etc.), alter information provided by a claimant or employer, or change or defer a UI document due date without valid documentation or approval of the appropriate branch chief or UI Director. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 10.01 of the Green Book, the Department should design control activities to achieve objectives and respond to risks. Segregation of duties contribute to the design, implementation, and operating effectiveness of control activities. Under Paragraph 10.03 of the Green Book, the Department should divide or segregate key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets so that no one individual controls all key aspects of a transaction or event. What problems did the audit work identify? The Department did not comply with federal regulations or its own policies and procedures related to the clearing of fraud holds during Fiscal Year 2022. Specifically, we identified issues with 32 of the 60 (53 percent) fraud holds we tested, as follows: ? The Department cleared 12 of the 60 fraud holds tested (20 percent) without performing an investigation or providing evidence of the reasoning used to clear the hold. Specifically, when we asked for investigation documentation for the 12 fraud holds, the Department indicated these were cleared without an investigation, and there were no related log notes in Salesforce, as required. ? For 20 of the 48 cases in our sample (42 percent) for which the Department did conduct an investigation, it did not segregate the duty of investigating the fraud hold and clearing the fraud hold from MyUI+. Specifically, in these cases, only one person conducted the investigation, concluded on the investigation, and cleared the fraud hold in MyUI+. ? One of the 20 Department staff who cleared a portion (5 percent) of the 60 fraud holds we sampled was not authorized to clear fraud holds from MyUI+ because the individual was not considered to be merit-staffed. Further, this unauthorized individual cleared 11 of 12 fraud holds we identified above that did not have an investigation, as required. We also found that this individual cleared an additional 55 fraud holds outside of our sample during Fiscal Year 2022. Why did these problems occur? The Department did not have sufficient internal controls in place, including appropriate policies and procedures, to ensure it enforced compliance with federal and Department-level requirements regarding the clearing of UI fraud holds during Fiscal Year 2022, as follows: ? The Department did not ensure that all fraud hold claims cleared in MyUI+ had a related log note in Salesforce that explained the rationale for clearing the hold, or that there was an investigation performed over the fraud hold prior to it being cleared in MyUI+. Specifically, in 11 of the 12 instances, the Department?s controls failed to prevent non-merit staff from using their MyUI+ access inappropriately, and in the other instance, Department controls failed to ensure the UI claim was reviewed by the UI section that reviews fraud holds rather than the UI section that resolves non-fraud UI claims. The Department provided full, rather than read-only access to the non-merit, Executive Director?s Office?s staff member noted in our finding. UI management indicated that they gave the individual full access to MyUI+ during the height of the pandemic with the assumption that the individual would use such access in a read-only manner solely to review claim information for inquiries coming through the Executive Director's Office. According to UI Division leadership, after they identified that the individual had full access during Fiscal Year 2022, they changed the individual?s access to read-only in January 2022. ? The Department lacked policies regarding management override of controls related to the clearing of fraud holds, in order to prevent or appropriately manage those responsibilities. UI staff indicated that in some cases, the non-merit, Executive Director?s Office?s staff member noted in our finding would reach out to other staff within the UI Division to help escalate the MyUI+ fraud hold clearing process. In some of these instances, because of the position of the individual within the Executive Director?s Office, UI staff circumvented the normal escalation process and aided the individual with clearing the fraud hold. ? The Department?s current policies and procedures do not require segregation of duties between those staff who investigate a fraud hold, and those staff who remove the fraud hold in MyUI+. Why do these problems matter? Improper segregation of duties, including the separation of responsibilities for both investigating and clearing potential fraud holds, leaves the UI program vulnerable to fraudulent activity. Specifically, fraud risk increases if there is no segregation between the investigation and the actual clearing of the fraud hold from MyUI+ and, as a result, the same staff could inappropriately clear holds and initiate UI payments. Further, a lack of strong checks and balances within the UI program could erode the integrity of the program at large, ultimately negatively impacting public trust. Strong internal controls related to UI fraud are especially important given the large amount of funds that are paid by the Department for UI claims each year and the significant amount of fraudulent claims that are paid by the Department. For example, the Department recorded an estimated receivable for amounts due back to the Department of $45 million for fraudulently-obtained UI claims at June 30, 2022. Without strengthening its controls over UI claims and fraud holds, there is a risk that a significant amount of UI funds could continue to be paid out each year for fraudulently obtained UI claims. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-070 The Department of Labor and Employment (Department) should strengthen its internal controls over Unemployment Insurance (UI) program integrity holds by: A. Ensuring all fraud holds are properly investigated and documented with a log note in Salesforce that explains the rationale for releasing the claim, prior to releasing the claim in MyUI+. B. Adequately reviewing claims for a fraud indicator to ensure the hold is sent to the appropriate UI section for resolution. C. Ensuring Department staff are given the appropriate access in MyUI+ to prevent individuals from clearing fraud holds inappropriately and periodically monitoring access to ensure access levels remain appropriate. D. Instituting policies and procedures over management override of internal controls related to UI claims and providing staff training on those policies and procedures. This should include ensuring that UI staff are aware of the importance of following all procedures related to fraud holds and that any inappropriate requests or pressures are communicated through the appropriate channels. E. Updating its current policies and procedures to require segregation of duties between the investigation of a fraud hold and the release of a fraud hold in MyUI+ to ensure more than one person is involved in the fraud hold process from beginning to end. Response Department of Labor and Employment A. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department is moving all adjudication and investigation of program integrity holds into the MyUI+ system, so there will be one system of record. The Department will ensure that all program integrity holds have all documentation through adjudication and investigation, including log notes. The Department anticipates this to be fully implemented by July 2024. B. Agree Implementation Date: July 2024 The Department agrees with this finding. The department has modified processes to ensure all holds are only routed to the appropriate team to be adjudicated. In addition the Department is working to have all claims identified as fraud delivered in a workflow process in MyUI+ rather than the various processes in place now. Further the department is working with our MyUI+ system experts to implement new technology to strengthen and streamline the fraud indicator escalation process and systems within MyUI+. In working with our MyUI+ system experts, the Department anticipates this to be fully implemented by July 2024. C. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department will continue strengthening security in this area and internal procedures to periodically monitor the potential for internal fraud activities. Additionally, the Department will periodically monitor and review My UI+ access levels for appropriateness. In consultation with our MyUI+ systems experts, the Department anticipates this finding to be fully implemented by July 2024. D. Agree Implementation Date: July 2023 The Department agrees with this finding. The Department will reinforce and strengthen the ethics policies in yearly communication to staff and tighten escalation policies to ensure pressures and inappropriate requests are handled in accordance with guidelines. The Department anticipates this will be completed by July 2023. E. Disagree When a PI hold is identified as being highly suspicious for criminally fraudulent activity, it is routed to a specialized unit for review, thereby leaving the standard adjudication process. This is handled by passing the review to the UI Investigations and/or Criminal Enforcement (ICE) unit. The investigator performs their investigation and if no actual fraudulent activity is found they will release the hold. The UI Division also performs several quality control reviews of claims and claim decisions via Benefits Payment Control (BPC), Benefits Accuracy Measurements (BAM), Benefits Timeliness and Quality (BTQ), and internal Quality Assurance (QA) reviews. Claims are reviewed for such criteria as adequate support documentation, benefit payment accuracy, timely processing, and correct claim decision determination on all program integrity holds. The Green Book states in Section 10.14, ? If segregation of duties is not practical within an operational process because of limited personnel or other factors, management designs alternative control activities to address the risk of fraud, waste, or abuse in the operational process.? CDLE believes the reviews represent adequate and sufficient compensating controls for the need for segregation of duties on fraud holds. Changing the current process would hinder our ability to deliver UI benefit services timely to our customers and would put us in jeopardy of fulfilling our federal and state payment timeliness requirements. Auditor?s Addendum Segregating the duties between investigating and releasing a fraud hold in MyUI+ reduces the risk of an employee inappropriately and potentially fraudulently clearing the hold without conducting a proper investigation. The issues identified in our audit indicate that the Department?s current compensating controls did not identify that a current employee released fraud holds without a proper investigation. The Department should consider updating its procedures and processes to segregate these duties to reduce the risk of this occurring in the future.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Labor and Employment (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-063 Unemployment Insurance?Federal Reporting The Department?s Accounting Section is responsible for completing the following two federal financial reports for the UI program and ensuring the reports are accurate, complete, and submitted to the federal government by the required deadline. The Accounting Section uses bank statements and reports from the Colorado Operations Resource Engine (CORE), the State?s accounting system, to create a workbook with the information and uses that workbook to complete the reports. ? ETA 9130, Financial Status Report, UI Programs. This is a quarterly report used to report the Department?s UI program and administrative expenditures. Financial data is required to be reported cumulatively from grant inception through the end of the reporting period. ? ETA 2112, UI Financial Transaction Summary. This is a monthly report that is a summary of the UI program?s transactions, which account for all funds received in, passed through, or paid out of the state employment fund during the applicable month. The UI division is responsible for completing the following federal report for the UI program and ensuring the report is accurate, complete, and submitted to the federal government by the required timeline. The UI division uses data pulled from MyUI+, the UI claims and benefits system, to generate two reports to fill out the ETA 191 report, described as follows. ? ETA 191, Financial Status of UCFE/UCX. This is a quarterly report on the State?s unemployment compensation expenditures paid by the Department to former federal employees (UCFE) and ex-service members (UCX) who have filed with the Department for unemployment benefits, and total amount of benefits paid to claimants of specific federal agencies. The federal government uses this report to request reimbursement of UCFE and UCX benefit payments from federal and military agencies. The federal government reimburses the Department for these benefit payments. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls in place over and complied with federal reporting requirements for the UI program during Fiscal Year 2021. As part of our audit work, we gained an understanding of the Department?s procedures that were in place to prepare the federal reports. In addition, we reviewed four ETA 2112 reports and two ETA 191 reports submitted to the federal government for Fiscal Year 2021 to ensure they were accurate, complete, and submitted by the required deadline. We also requested the Department?s policies and procedures for completing the reports, as well as the Department?s supporting documentation for the reports. How were the results of the audit work measured? We measured the results of our audit against the following: In accordance with Uniform Guidance [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and terms and conditions of the federal award. In accordance with the OSC?s policy Internal Control System, state agencies shall use the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, as its framework for its system of internal control. Green Book, Paragraph OV4.08, Documentation Requirements, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. Green Book Paragraph 12.02, Documentation of Responsibilities through Policies, specifically indicates that management should document in their policies the internal control responsibilities of the organization. The U.S. Department of Labor Unemployment Insurance Handbook 401 (Handbook) states that the ETA 2112 is due the first day of the second month following the month that the data in the report represents. In addition, the Handbook states that the ETA 191 is due by the 25th of the month following the close of the quarter. What problems did the audit work identify? We identified issues with 2 of the 4 (50 percent) ETA 2112 reports we tested, and 1 of the 2 (50 percent) ETA 191 reports we tested. Specifically, we identified the following: ETA 2112. We identified four issues with the September 2020 report, as follows: ? The Department could not provide support for $50.6 million reported as federal tax withholding on the report. ? The Department could not provide documentation related to the FPUC deposits and disbursements reported on the report. Specifically, the Department reported FPUC deposits as $27.0 million and FPUC Disbursements as $28.4 million. Because the Department could not provide documentation, we could not determine the correct amounts that should have been reported. ? The Department overstated the deposit amount for the intra-account transfer line by $240.2 million. Specifically, the Department reported that the amount deposited during the month for the intra-account transfers was $378.1 million, but the supporting documentation we reviewed showed the deposits totaled $137.9 million. ? The Department submitted the report on November 5, 2020, or 3 days after the deadline of November 2, 2020. In the February 2021 report, we identified that the Department understated reimbursement benefits from nonprofits by $540,000, reimbursements from local governments by $1.1 million; and reimbursements from state government by $204,700. Finally, based on discussion with the Department, it does not protect the formulas in its ETA 2112 workbooks it uses to prepare the reports in order to prevent intentional or inadvertent changes to calculations. ETA 191. We identified two issues with the ETA 191 report for the quarter ended March 2021 report. First, the Department failed to appropriately correct a federal Department of Labor-identified error from the previous quarter for expenditures for military agencies. Specifically, the Department incorrectly adjusted the $1,089,761, by $2,100, which was an under correction of the error of $2,120. Second, the Department submitted the report on May 14, 2021, nearly a month after the April 16, 2021, deadline. Why did these problems occur? The Department did not have sufficient internal controls in place to ensure that the federal reports and associated documentation were accurate and complete during Fiscal Year 2021. Specifically, the Department does not have formal, documented policies for completing the reports or a requirement that the workbooks are protected. Although the Department has a procedure document that provides instructions on how to complete the federal reports, the procedures do not include a requirement for a supervisory review of these reports prior to submitting them to the federal government. Some of the errors we identified were due to the wrong information being input into the reports, which a review could have caught and corrected prior to the Department submitting the report to the federal government. Why do these problems matter? Strong internal controls over federal reporting, including formal, documented policies, protection of formulas in the workbooks used to prepare the reports to prevent intentional or inadvertent changes to calculations, and adequate supervisory review, are necessary to ensure that the Department is in compliance with federal reporting requirements. Errors in the federal reports could cause the users of these reports to rely on incorrect information. This could have a negative impact on the Department?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-063 The Department of Labor and Employment should strengthen its internal controls over federal reporting by developing, formally documenting, and implementing policies for completing its federal reports for the Unemployment Insurance program. These policies should require the workbooks used to prepare the reports to be protected and that a supervisory review occurs prior to submitting the reports to the federal government. Response Department of Labor and Employment Agree Implementation Date: March 2023 CDLE will continue to develop, formally document, and implement policies for completing its federal reports for the Unemployment Insurance program. These policies will require the workbooks used to prepare the reports to be protected, for the data to be substantiated, and will require supervisory review on a monthly basis prior to submitting the reports to the federal government.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-070 Unemployment Insurance Program Integrity Fraud Holds The Department?s UI Division is responsible for the administration and monitoring of Colorado?s UI programs, including the collection of unemployment premiums from employers, the payment of UI benefits to claimants, and the performance of audits and investigations of premiums and benefits to ensure they are properly paid. Employer-paid premiums are the primary source of funding for UI benefits. When an individual applies for UI benefits, they are called a claimant, and the application is called a claim. Each claimant creates an account in MyUI+, the Department?s unemployment benefit system, in order to apply for unemployment benefits. The Department reviews, or adjudicates, claims to ensure that claimants are eligible and entitled to receive UI benefits. As part of the adjudication process, wage checks for claimants are compared to employer reported wages submitted to the Department on a quarterly basis and the Department sends a notification to all employers that the claimant worked for within the last 18 months to determine the validity and reason for the claimant leaving the workplace. In addition, Department staff indicate that, on a weekly basis, they perform reviews to identify potential issues with a claimant?s ability and availability to work, and to determine whether the claimant is accurately reporting earned income. If information provided by an interested party, such as a former employer, relating to the reason for leaving the workforce does not agree to the claimant information, the Department follows up on the information and issues eligibility determinations, as appropriate. In Fiscal Year 2022, the Department paid $1.1 billion in UI benefits. The Department has processes and systems to detect and prevent identity theft related to UI benefits. For example, when the Department identifies a claim with characteristics that are indicators of fraud, it places a fraud hold (also known as a program integrity hold) on the claimant?s UI claim, which holds the claim for investigation and which prevents any future benefit payments to the claimant until the fraud hold is removed and eligibility is determined. For each fraud hold, the Department has to determine if the identity of the individual filing the claim matches the personally identifiable information used on the claim. Once that is verified, the Department then must verify that the individual did not make any false statements in order to establish program eligibility. The steps that the Department takes to resolve a fraud hold differ depending on the characteristics of the claim that caused the Department to question its legitimacy. If Department staff determine that the fraud hold was not legitimate, the Department clears the hold in MyUI+ and then proceeds with determining if the individual is eligible to receive UI benefits. The Department uses an automated system, called ID.me, as part of its identity verification process. ID.me is a federally-certified identity provider that assists the Department in verifying claimants? identity. In some instances, MyUI+ will clear the fraud hold if the claimant passes ID.me and the claim does not need further investigation. In other cases, the Department performs an investigation to determine if the fraud hold is legitimate, or if the hold was placed in error. According to the information in MyUI+, the Department cleared 54,047 fraud holds during Fiscal Year 2022 ? 44,936 were cleared through the ID.me process, and 9,111 were cleared by the Department. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls in place over fraud holds during Fiscal Year 2022, including whether only appropriate, authorized individuals cleared the fraud hold from MyUI+, and if the Department had adequate segregation of duties between staff investigating a fraud hold, and staff releasing the hold in MyUI+. As part of our audit work, we requested the Department?s policies and procedures for their investigation process and documentation used to support the Department?s investigations that resulted in clearing a fraud hold, and inquired how the Department determined who is authorized to release fraud holds from MyUI+. The Department?s documentation included case reports for the investigations and log notes from Salesforce, the Department?s software that is primarily used as a workflow management tool and documentation repository for UI claims requiring an investigation. We selected a sample of 60 of the 9,111 fraud holds that were cleared by the Department during Fiscal Year 2022 to determine if the Department performed an investigation prior to releasing the fraud hold in MyUI+. In addition, as part of our testing of the sample, we determined that 20 different Department staff cleared the 60 fraud holds in MyUI+; we performed testing to determine if those staff were authorized to clear the holds in MyUI+. How were the results of the audit work measured? We measured the results of our audit against the following: Section 7511, Part V, of the Employment Security Manual (ESM) requires state UI laws to include provisions for such methods of administration as are, within reason, calculated (1) to detect benefits paid through error by the state UI agency or through willful misrepresentation or error by the claimant or others, (2) to deter claimants from obtaining benefits through willful misrepresentation, and (3) to recover benefits overpaid under certain circumstances. These required functions are accomplished through designated staff responsible for promoting and maintaining the integrity of the UI program through prevention, detection, investigations, establishment, and recovery of overpayments. Designated staff also prepare cases for prosecution. The Department?s UI Investigation Procedures state that if Department staff determine that a fraud hold that they are investigating can be released in MyUI+, Department staff should write an event log note in Salesforce. Information security is the practice of protecting information by mitigating information risk. ISO 27001 Standard for Information Security Management Systems is the international standard for information security, and its best practice approach helps organizations manage their information security by addressing people, processes, and technology. User-access management has the following objectives: ? Ensure authorized user access ? Prevent unauthorized access to information systems Expanding on the objectives from ISO 27001, a broad set of business-level objectives for user-access management can be defined as follows: ? Allow only authorized users to have access to information and resources ? Restrict access to the least privileges required by these authorized users to fulfill their business role The federal Social Security Act [Section 303(a)(1), SSA], contains a merit-based system requirement for the UI program. Specifically, this section requires that, as a condition of receiving federal UI administrative grants, states must have laws that include ?provision for such methods of administration? that includes a merit system. A merit system is defined as the process of promoting and hiring government employees based on their ability to perform a job, rather than on their political connections. As part of this requirement, any position which involves the determination of whether or not a UI claimant will be paid, or which involves determining an employer's liability for contributions, must be ?merit staffed.? According to federal regulations [5 CFR 900.603, Standards For a Merit System of Personnel Administration], ?The quality of public service can be improved by the development of systems of personnel administration consistent with such merit principles as - (a) Recruiting, selecting, and advancing employees on the basis of their relative ability, knowledge, and skills, including open consideration of qualified applicants for initial appointment. (b) Providing equitable and adequate compensation. (c) Training employees, as needed, to assure high quality performance. (d) Retaining employees on the basis of the adequacy of their performance, correcting inadequate performance, and separating employees whose inadequate performance cannot be corrected?? The U. S. Department of Labor Unemployment Insurance Program Letter (UIPL) No. 12-01, states that only those employees considered as merit-staff can determine whether to pay or deny payment to a claim. Additionally, UIPL No. 12-01 Change 2 states that, ?Determinations of overpayments or fraud must be made by merit-staffed employees.? The Department?s SPP 1053 Code of Conduct, Ethics and Values Policy, Attachment A: Unemployment Insurance Ethics Policy states that employees are not permitted to do the following: ? Investigate or attempt to investigate suspected fraud unless it is within their assigned duties. ? Backdate a claim, transfer claim status retroactively (UI to UCFE, UCX to TRA, etc.), alter information provided by a claimant or employer, or change or defer a UI document due date without valid documentation or approval of the appropriate branch chief or UI Director. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 10.01 of the Green Book, the Department should design control activities to achieve objectives and respond to risks. Segregation of duties contribute to the design, implementation, and operating effectiveness of control activities. Under Paragraph 10.03 of the Green Book, the Department should divide or segregate key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets so that no one individual controls all key aspects of a transaction or event. What problems did the audit work identify? The Department did not comply with federal regulations or its own policies and procedures related to the clearing of fraud holds during Fiscal Year 2022. Specifically, we identified issues with 32 of the 60 (53 percent) fraud holds we tested, as follows: ? The Department cleared 12 of the 60 fraud holds tested (20 percent) without performing an investigation or providing evidence of the reasoning used to clear the hold. Specifically, when we asked for investigation documentation for the 12 fraud holds, the Department indicated these were cleared without an investigation, and there were no related log notes in Salesforce, as required. ? For 20 of the 48 cases in our sample (42 percent) for which the Department did conduct an investigation, it did not segregate the duty of investigating the fraud hold and clearing the fraud hold from MyUI+. Specifically, in these cases, only one person conducted the investigation, concluded on the investigation, and cleared the fraud hold in MyUI+. ? One of the 20 Department staff who cleared a portion (5 percent) of the 60 fraud holds we sampled was not authorized to clear fraud holds from MyUI+ because the individual was not considered to be merit-staffed. Further, this unauthorized individual cleared 11 of 12 fraud holds we identified above that did not have an investigation, as required. We also found that this individual cleared an additional 55 fraud holds outside of our sample during Fiscal Year 2022. Why did these problems occur? The Department did not have sufficient internal controls in place, including appropriate policies and procedures, to ensure it enforced compliance with federal and Department-level requirements regarding the clearing of UI fraud holds during Fiscal Year 2022, as follows: ? The Department did not ensure that all fraud hold claims cleared in MyUI+ had a related log note in Salesforce that explained the rationale for clearing the hold, or that there was an investigation performed over the fraud hold prior to it being cleared in MyUI+. Specifically, in 11 of the 12 instances, the Department?s controls failed to prevent non-merit staff from using their MyUI+ access inappropriately, and in the other instance, Department controls failed to ensure the UI claim was reviewed by the UI section that reviews fraud holds rather than the UI section that resolves non-fraud UI claims. The Department provided full, rather than read-only access to the non-merit, Executive Director?s Office?s staff member noted in our finding. UI management indicated that they gave the individual full access to MyUI+ during the height of the pandemic with the assumption that the individual would use such access in a read-only manner solely to review claim information for inquiries coming through the Executive Director's Office. According to UI Division leadership, after they identified that the individual had full access during Fiscal Year 2022, they changed the individual?s access to read-only in January 2022. ? The Department lacked policies regarding management override of controls related to the clearing of fraud holds, in order to prevent or appropriately manage those responsibilities. UI staff indicated that in some cases, the non-merit, Executive Director?s Office?s staff member noted in our finding would reach out to other staff within the UI Division to help escalate the MyUI+ fraud hold clearing process. In some of these instances, because of the position of the individual within the Executive Director?s Office, UI staff circumvented the normal escalation process and aided the individual with clearing the fraud hold. ? The Department?s current policies and procedures do not require segregation of duties between those staff who investigate a fraud hold, and those staff who remove the fraud hold in MyUI+. Why do these problems matter? Improper segregation of duties, including the separation of responsibilities for both investigating and clearing potential fraud holds, leaves the UI program vulnerable to fraudulent activity. Specifically, fraud risk increases if there is no segregation between the investigation and the actual clearing of the fraud hold from MyUI+ and, as a result, the same staff could inappropriately clear holds and initiate UI payments. Further, a lack of strong checks and balances within the UI program could erode the integrity of the program at large, ultimately negatively impacting public trust. Strong internal controls related to UI fraud are especially important given the large amount of funds that are paid by the Department for UI claims each year and the significant amount of fraudulent claims that are paid by the Department. For example, the Department recorded an estimated receivable for amounts due back to the Department of $45 million for fraudulently-obtained UI claims at June 30, 2022. Without strengthening its controls over UI claims and fraud holds, there is a risk that a significant amount of UI funds could continue to be paid out each year for fraudulently obtained UI claims. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-070 The Department of Labor and Employment (Department) should strengthen its internal controls over Unemployment Insurance (UI) program integrity holds by: A. Ensuring all fraud holds are properly investigated and documented with a log note in Salesforce that explains the rationale for releasing the claim, prior to releasing the claim in MyUI+. B. Adequately reviewing claims for a fraud indicator to ensure the hold is sent to the appropriate UI section for resolution. C. Ensuring Department staff are given the appropriate access in MyUI+ to prevent individuals from clearing fraud holds inappropriately and periodically monitoring access to ensure access levels remain appropriate. D. Instituting policies and procedures over management override of internal controls related to UI claims and providing staff training on those policies and procedures. This should include ensuring that UI staff are aware of the importance of following all procedures related to fraud holds and that any inappropriate requests or pressures are communicated through the appropriate channels. E. Updating its current policies and procedures to require segregation of duties between the investigation of a fraud hold and the release of a fraud hold in MyUI+ to ensure more than one person is involved in the fraud hold process from beginning to end. Response Department of Labor and Employment A. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department is moving all adjudication and investigation of program integrity holds into the MyUI+ system, so there will be one system of record. The Department will ensure that all program integrity holds have all documentation through adjudication and investigation, including log notes. The Department anticipates this to be fully implemented by July 2024. B. Agree Implementation Date: July 2024 The Department agrees with this finding. The department has modified processes to ensure all holds are only routed to the appropriate team to be adjudicated. In addition the Department is working to have all claims identified as fraud delivered in a workflow process in MyUI+ rather than the various processes in place now. Further the department is working with our MyUI+ system experts to implement new technology to strengthen and streamline the fraud indicator escalation process and systems within MyUI+. In working with our MyUI+ system experts, the Department anticipates this to be fully implemented by July 2024. C. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department will continue strengthening security in this area and internal procedures to periodically monitor the potential for internal fraud activities. Additionally, the Department will periodically monitor and review My UI+ access levels for appropriateness. In consultation with our MyUI+ systems experts, the Department anticipates this finding to be fully implemented by July 2024. D. Agree Implementation Date: July 2023 The Department agrees with this finding. The Department will reinforce and strengthen the ethics policies in yearly communication to staff and tighten escalation policies to ensure pressures and inappropriate requests are handled in accordance with guidelines. The Department anticipates this will be completed by July 2023. E. Disagree When a PI hold is identified as being highly suspicious for criminally fraudulent activity, it is routed to a specialized unit for review, thereby leaving the standard adjudication process. This is handled by passing the review to the UI Investigations and/or Criminal Enforcement (ICE) unit. The investigator performs their investigation and if no actual fraudulent activity is found they will release the hold. The UI Division also performs several quality control reviews of claims and claim decisions via Benefits Payment Control (BPC), Benefits Accuracy Measurements (BAM), Benefits Timeliness and Quality (BTQ), and internal Quality Assurance (QA) reviews. Claims are reviewed for such criteria as adequate support documentation, benefit payment accuracy, timely processing, and correct claim decision determination on all program integrity holds. The Green Book states in Section 10.14, ? If segregation of duties is not practical within an operational process because of limited personnel or other factors, management designs alternative control activities to address the risk of fraud, waste, or abuse in the operational process.? CDLE believes the reviews represent adequate and sufficient compensating controls for the need for segregation of duties on fraud holds. Changing the current process would hinder our ability to deliver UI benefit services timely to our customers and would put us in jeopardy of fulfilling our federal and state payment timeliness requirements. Auditor?s Addendum Segregating the duties between investigating and releasing a fraud hold in MyUI+ reduces the risk of an employee inappropriately and potentially fraudulently clearing the hold without conducting a proper investigation. The issues identified in our audit indicate that the Department?s current compensating controls did not identify that a current employee released fraud holds without a proper investigation. The Department should consider updating its procedures and processes to segregate these duties to reduce the risk of this occurring in the future.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Labor and Employment (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-063 Unemployment Insurance?Federal Reporting The Department?s Accounting Section is responsible for completing the following two federal financial reports for the UI program and ensuring the reports are accurate, complete, and submitted to the federal government by the required deadline. The Accounting Section uses bank statements and reports from the Colorado Operations Resource Engine (CORE), the State?s accounting system, to create a workbook with the information and uses that workbook to complete the reports. ? ETA 9130, Financial Status Report, UI Programs. This is a quarterly report used to report the Department?s UI program and administrative expenditures. Financial data is required to be reported cumulatively from grant inception through the end of the reporting period. ? ETA 2112, UI Financial Transaction Summary. This is a monthly report that is a summary of the UI program?s transactions, which account for all funds received in, passed through, or paid out of the state employment fund during the applicable month. The UI division is responsible for completing the following federal report for the UI program and ensuring the report is accurate, complete, and submitted to the federal government by the required timeline. The UI division uses data pulled from MyUI+, the UI claims and benefits system, to generate two reports to fill out the ETA 191 report, described as follows. ? ETA 191, Financial Status of UCFE/UCX. This is a quarterly report on the State?s unemployment compensation expenditures paid by the Department to former federal employees (UCFE) and ex-service members (UCX) who have filed with the Department for unemployment benefits, and total amount of benefits paid to claimants of specific federal agencies. The federal government uses this report to request reimbursement of UCFE and UCX benefit payments from federal and military agencies. The federal government reimburses the Department for these benefit payments. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls in place over and complied with federal reporting requirements for the UI program during Fiscal Year 2021. As part of our audit work, we gained an understanding of the Department?s procedures that were in place to prepare the federal reports. In addition, we reviewed four ETA 2112 reports and two ETA 191 reports submitted to the federal government for Fiscal Year 2021 to ensure they were accurate, complete, and submitted by the required deadline. We also requested the Department?s policies and procedures for completing the reports, as well as the Department?s supporting documentation for the reports. How were the results of the audit work measured? We measured the results of our audit against the following: In accordance with Uniform Guidance [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and terms and conditions of the federal award. In accordance with the OSC?s policy Internal Control System, state agencies shall use the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, as its framework for its system of internal control. Green Book, Paragraph OV4.08, Documentation Requirements, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. Green Book Paragraph 12.02, Documentation of Responsibilities through Policies, specifically indicates that management should document in their policies the internal control responsibilities of the organization. The U.S. Department of Labor Unemployment Insurance Handbook 401 (Handbook) states that the ETA 2112 is due the first day of the second month following the month that the data in the report represents. In addition, the Handbook states that the ETA 191 is due by the 25th of the month following the close of the quarter. What problems did the audit work identify? We identified issues with 2 of the 4 (50 percent) ETA 2112 reports we tested, and 1 of the 2 (50 percent) ETA 191 reports we tested. Specifically, we identified the following: ETA 2112. We identified four issues with the September 2020 report, as follows: ? The Department could not provide support for $50.6 million reported as federal tax withholding on the report. ? The Department could not provide documentation related to the FPUC deposits and disbursements reported on the report. Specifically, the Department reported FPUC deposits as $27.0 million and FPUC Disbursements as $28.4 million. Because the Department could not provide documentation, we could not determine the correct amounts that should have been reported. ? The Department overstated the deposit amount for the intra-account transfer line by $240.2 million. Specifically, the Department reported that the amount deposited during the month for the intra-account transfers was $378.1 million, but the supporting documentation we reviewed showed the deposits totaled $137.9 million. ? The Department submitted the report on November 5, 2020, or 3 days after the deadline of November 2, 2020. In the February 2021 report, we identified that the Department understated reimbursement benefits from nonprofits by $540,000, reimbursements from local governments by $1.1 million; and reimbursements from state government by $204,700. Finally, based on discussion with the Department, it does not protect the formulas in its ETA 2112 workbooks it uses to prepare the reports in order to prevent intentional or inadvertent changes to calculations. ETA 191. We identified two issues with the ETA 191 report for the quarter ended March 2021 report. First, the Department failed to appropriately correct a federal Department of Labor-identified error from the previous quarter for expenditures for military agencies. Specifically, the Department incorrectly adjusted the $1,089,761, by $2,100, which was an under correction of the error of $2,120. Second, the Department submitted the report on May 14, 2021, nearly a month after the April 16, 2021, deadline. Why did these problems occur? The Department did not have sufficient internal controls in place to ensure that the federal reports and associated documentation were accurate and complete during Fiscal Year 2021. Specifically, the Department does not have formal, documented policies for completing the reports or a requirement that the workbooks are protected. Although the Department has a procedure document that provides instructions on how to complete the federal reports, the procedures do not include a requirement for a supervisory review of these reports prior to submitting them to the federal government. Some of the errors we identified were due to the wrong information being input into the reports, which a review could have caught and corrected prior to the Department submitting the report to the federal government. Why do these problems matter? Strong internal controls over federal reporting, including formal, documented policies, protection of formulas in the workbooks used to prepare the reports to prevent intentional or inadvertent changes to calculations, and adequate supervisory review, are necessary to ensure that the Department is in compliance with federal reporting requirements. Errors in the federal reports could cause the users of these reports to rely on incorrect information. This could have a negative impact on the Department?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-063 The Department of Labor and Employment should strengthen its internal controls over federal reporting by developing, formally documenting, and implementing policies for completing its federal reports for the Unemployment Insurance program. These policies should require the workbooks used to prepare the reports to be protected and that a supervisory review occurs prior to submitting the reports to the federal government. Response Department of Labor and Employment Agree Implementation Date: March 2023 CDLE will continue to develop, formally document, and implement policies for completing its federal reports for the Unemployment Insurance program. These policies will require the workbooks used to prepare the reports to be protected, for the data to be substantiated, and will require supervisory review on a monthly basis prior to submitting the reports to the federal government.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-070 Unemployment Insurance Program Integrity Fraud Holds The Department?s UI Division is responsible for the administration and monitoring of Colorado?s UI programs, including the collection of unemployment premiums from employers, the payment of UI benefits to claimants, and the performance of audits and investigations of premiums and benefits to ensure they are properly paid. Employer-paid premiums are the primary source of funding for UI benefits. When an individual applies for UI benefits, they are called a claimant, and the application is called a claim. Each claimant creates an account in MyUI+, the Department?s unemployment benefit system, in order to apply for unemployment benefits. The Department reviews, or adjudicates, claims to ensure that claimants are eligible and entitled to receive UI benefits. As part of the adjudication process, wage checks for claimants are compared to employer reported wages submitted to the Department on a quarterly basis and the Department sends a notification to all employers that the claimant worked for within the last 18 months to determine the validity and reason for the claimant leaving the workplace. In addition, Department staff indicate that, on a weekly basis, they perform reviews to identify potential issues with a claimant?s ability and availability to work, and to determine whether the claimant is accurately reporting earned income. If information provided by an interested party, such as a former employer, relating to the reason for leaving the workforce does not agree to the claimant information, the Department follows up on the information and issues eligibility determinations, as appropriate. In Fiscal Year 2022, the Department paid $1.1 billion in UI benefits. The Department has processes and systems to detect and prevent identity theft related to UI benefits. For example, when the Department identifies a claim with characteristics that are indicators of fraud, it places a fraud hold (also known as a program integrity hold) on the claimant?s UI claim, which holds the claim for investigation and which prevents any future benefit payments to the claimant until the fraud hold is removed and eligibility is determined. For each fraud hold, the Department has to determine if the identity of the individual filing the claim matches the personally identifiable information used on the claim. Once that is verified, the Department then must verify that the individual did not make any false statements in order to establish program eligibility. The steps that the Department takes to resolve a fraud hold differ depending on the characteristics of the claim that caused the Department to question its legitimacy. If Department staff determine that the fraud hold was not legitimate, the Department clears the hold in MyUI+ and then proceeds with determining if the individual is eligible to receive UI benefits. The Department uses an automated system, called ID.me, as part of its identity verification process. ID.me is a federally-certified identity provider that assists the Department in verifying claimants? identity. In some instances, MyUI+ will clear the fraud hold if the claimant passes ID.me and the claim does not need further investigation. In other cases, the Department performs an investigation to determine if the fraud hold is legitimate, or if the hold was placed in error. According to the information in MyUI+, the Department cleared 54,047 fraud holds during Fiscal Year 2022 ? 44,936 were cleared through the ID.me process, and 9,111 were cleared by the Department. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls in place over fraud holds during Fiscal Year 2022, including whether only appropriate, authorized individuals cleared the fraud hold from MyUI+, and if the Department had adequate segregation of duties between staff investigating a fraud hold, and staff releasing the hold in MyUI+. As part of our audit work, we requested the Department?s policies and procedures for their investigation process and documentation used to support the Department?s investigations that resulted in clearing a fraud hold, and inquired how the Department determined who is authorized to release fraud holds from MyUI+. The Department?s documentation included case reports for the investigations and log notes from Salesforce, the Department?s software that is primarily used as a workflow management tool and documentation repository for UI claims requiring an investigation. We selected a sample of 60 of the 9,111 fraud holds that were cleared by the Department during Fiscal Year 2022 to determine if the Department performed an investigation prior to releasing the fraud hold in MyUI+. In addition, as part of our testing of the sample, we determined that 20 different Department staff cleared the 60 fraud holds in MyUI+; we performed testing to determine if those staff were authorized to clear the holds in MyUI+. How were the results of the audit work measured? We measured the results of our audit against the following: Section 7511, Part V, of the Employment Security Manual (ESM) requires state UI laws to include provisions for such methods of administration as are, within reason, calculated (1) to detect benefits paid through error by the state UI agency or through willful misrepresentation or error by the claimant or others, (2) to deter claimants from obtaining benefits through willful misrepresentation, and (3) to recover benefits overpaid under certain circumstances. These required functions are accomplished through designated staff responsible for promoting and maintaining the integrity of the UI program through prevention, detection, investigations, establishment, and recovery of overpayments. Designated staff also prepare cases for prosecution. The Department?s UI Investigation Procedures state that if Department staff determine that a fraud hold that they are investigating can be released in MyUI+, Department staff should write an event log note in Salesforce. Information security is the practice of protecting information by mitigating information risk. ISO 27001 Standard for Information Security Management Systems is the international standard for information security, and its best practice approach helps organizations manage their information security by addressing people, processes, and technology. User-access management has the following objectives: ? Ensure authorized user access ? Prevent unauthorized access to information systems Expanding on the objectives from ISO 27001, a broad set of business-level objectives for user-access management can be defined as follows: ? Allow only authorized users to have access to information and resources ? Restrict access to the least privileges required by these authorized users to fulfill their business role The federal Social Security Act [Section 303(a)(1), SSA], contains a merit-based system requirement for the UI program. Specifically, this section requires that, as a condition of receiving federal UI administrative grants, states must have laws that include ?provision for such methods of administration? that includes a merit system. A merit system is defined as the process of promoting and hiring government employees based on their ability to perform a job, rather than on their political connections. As part of this requirement, any position which involves the determination of whether or not a UI claimant will be paid, or which involves determining an employer's liability for contributions, must be ?merit staffed.? According to federal regulations [5 CFR 900.603, Standards For a Merit System of Personnel Administration], ?The quality of public service can be improved by the development of systems of personnel administration consistent with such merit principles as - (a) Recruiting, selecting, and advancing employees on the basis of their relative ability, knowledge, and skills, including open consideration of qualified applicants for initial appointment. (b) Providing equitable and adequate compensation. (c) Training employees, as needed, to assure high quality performance. (d) Retaining employees on the basis of the adequacy of their performance, correcting inadequate performance, and separating employees whose inadequate performance cannot be corrected?? The U. S. Department of Labor Unemployment Insurance Program Letter (UIPL) No. 12-01, states that only those employees considered as merit-staff can determine whether to pay or deny payment to a claim. Additionally, UIPL No. 12-01 Change 2 states that, ?Determinations of overpayments or fraud must be made by merit-staffed employees.? The Department?s SPP 1053 Code of Conduct, Ethics and Values Policy, Attachment A: Unemployment Insurance Ethics Policy states that employees are not permitted to do the following: ? Investigate or attempt to investigate suspected fraud unless it is within their assigned duties. ? Backdate a claim, transfer claim status retroactively (UI to UCFE, UCX to TRA, etc.), alter information provided by a claimant or employer, or change or defer a UI document due date without valid documentation or approval of the appropriate branch chief or UI Director. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 10.01 of the Green Book, the Department should design control activities to achieve objectives and respond to risks. Segregation of duties contribute to the design, implementation, and operating effectiveness of control activities. Under Paragraph 10.03 of the Green Book, the Department should divide or segregate key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets so that no one individual controls all key aspects of a transaction or event. What problems did the audit work identify? The Department did not comply with federal regulations or its own policies and procedures related to the clearing of fraud holds during Fiscal Year 2022. Specifically, we identified issues with 32 of the 60 (53 percent) fraud holds we tested, as follows: ? The Department cleared 12 of the 60 fraud holds tested (20 percent) without performing an investigation or providing evidence of the reasoning used to clear the hold. Specifically, when we asked for investigation documentation for the 12 fraud holds, the Department indicated these were cleared without an investigation, and there were no related log notes in Salesforce, as required. ? For 20 of the 48 cases in our sample (42 percent) for which the Department did conduct an investigation, it did not segregate the duty of investigating the fraud hold and clearing the fraud hold from MyUI+. Specifically, in these cases, only one person conducted the investigation, concluded on the investigation, and cleared the fraud hold in MyUI+. ? One of the 20 Department staff who cleared a portion (5 percent) of the 60 fraud holds we sampled was not authorized to clear fraud holds from MyUI+ because the individual was not considered to be merit-staffed. Further, this unauthorized individual cleared 11 of 12 fraud holds we identified above that did not have an investigation, as required. We also found that this individual cleared an additional 55 fraud holds outside of our sample during Fiscal Year 2022. Why did these problems occur? The Department did not have sufficient internal controls in place, including appropriate policies and procedures, to ensure it enforced compliance with federal and Department-level requirements regarding the clearing of UI fraud holds during Fiscal Year 2022, as follows: ? The Department did not ensure that all fraud hold claims cleared in MyUI+ had a related log note in Salesforce that explained the rationale for clearing the hold, or that there was an investigation performed over the fraud hold prior to it being cleared in MyUI+. Specifically, in 11 of the 12 instances, the Department?s controls failed to prevent non-merit staff from using their MyUI+ access inappropriately, and in the other instance, Department controls failed to ensure the UI claim was reviewed by the UI section that reviews fraud holds rather than the UI section that resolves non-fraud UI claims. The Department provided full, rather than read-only access to the non-merit, Executive Director?s Office?s staff member noted in our finding. UI management indicated that they gave the individual full access to MyUI+ during the height of the pandemic with the assumption that the individual would use such access in a read-only manner solely to review claim information for inquiries coming through the Executive Director's Office. According to UI Division leadership, after they identified that the individual had full access during Fiscal Year 2022, they changed the individual?s access to read-only in January 2022. ? The Department lacked policies regarding management override of controls related to the clearing of fraud holds, in order to prevent or appropriately manage those responsibilities. UI staff indicated that in some cases, the non-merit, Executive Director?s Office?s staff member noted in our finding would reach out to other staff within the UI Division to help escalate the MyUI+ fraud hold clearing process. In some of these instances, because of the position of the individual within the Executive Director?s Office, UI staff circumvented the normal escalation process and aided the individual with clearing the fraud hold. ? The Department?s current policies and procedures do not require segregation of duties between those staff who investigate a fraud hold, and those staff who remove the fraud hold in MyUI+. Why do these problems matter? Improper segregation of duties, including the separation of responsibilities for both investigating and clearing potential fraud holds, leaves the UI program vulnerable to fraudulent activity. Specifically, fraud risk increases if there is no segregation between the investigation and the actual clearing of the fraud hold from MyUI+ and, as a result, the same staff could inappropriately clear holds and initiate UI payments. Further, a lack of strong checks and balances within the UI program could erode the integrity of the program at large, ultimately negatively impacting public trust. Strong internal controls related to UI fraud are especially important given the large amount of funds that are paid by the Department for UI claims each year and the significant amount of fraudulent claims that are paid by the Department. For example, the Department recorded an estimated receivable for amounts due back to the Department of $45 million for fraudulently-obtained UI claims at June 30, 2022. Without strengthening its controls over UI claims and fraud holds, there is a risk that a significant amount of UI funds could continue to be paid out each year for fraudulently obtained UI claims. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-070 The Department of Labor and Employment (Department) should strengthen its internal controls over Unemployment Insurance (UI) program integrity holds by: A. Ensuring all fraud holds are properly investigated and documented with a log note in Salesforce that explains the rationale for releasing the claim, prior to releasing the claim in MyUI+. B. Adequately reviewing claims for a fraud indicator to ensure the hold is sent to the appropriate UI section for resolution. C. Ensuring Department staff are given the appropriate access in MyUI+ to prevent individuals from clearing fraud holds inappropriately and periodically monitoring access to ensure access levels remain appropriate. D. Instituting policies and procedures over management override of internal controls related to UI claims and providing staff training on those policies and procedures. This should include ensuring that UI staff are aware of the importance of following all procedures related to fraud holds and that any inappropriate requests or pressures are communicated through the appropriate channels. E. Updating its current policies and procedures to require segregation of duties between the investigation of a fraud hold and the release of a fraud hold in MyUI+ to ensure more than one person is involved in the fraud hold process from beginning to end. Response Department of Labor and Employment A. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department is moving all adjudication and investigation of program integrity holds into the MyUI+ system, so there will be one system of record. The Department will ensure that all program integrity holds have all documentation through adjudication and investigation, including log notes. The Department anticipates this to be fully implemented by July 2024. B. Agree Implementation Date: July 2024 The Department agrees with this finding. The department has modified processes to ensure all holds are only routed to the appropriate team to be adjudicated. In addition the Department is working to have all claims identified as fraud delivered in a workflow process in MyUI+ rather than the various processes in place now. Further the department is working with our MyUI+ system experts to implement new technology to strengthen and streamline the fraud indicator escalation process and systems within MyUI+. In working with our MyUI+ system experts, the Department anticipates this to be fully implemented by July 2024. C. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department will continue strengthening security in this area and internal procedures to periodically monitor the potential for internal fraud activities. Additionally, the Department will periodically monitor and review My UI+ access levels for appropriateness. In consultation with our MyUI+ systems experts, the Department anticipates this finding to be fully implemented by July 2024. D. Agree Implementation Date: July 2023 The Department agrees with this finding. The Department will reinforce and strengthen the ethics policies in yearly communication to staff and tighten escalation policies to ensure pressures and inappropriate requests are handled in accordance with guidelines. The Department anticipates this will be completed by July 2023. E. Disagree When a PI hold is identified as being highly suspicious for criminally fraudulent activity, it is routed to a specialized unit for review, thereby leaving the standard adjudication process. This is handled by passing the review to the UI Investigations and/or Criminal Enforcement (ICE) unit. The investigator performs their investigation and if no actual fraudulent activity is found they will release the hold. The UI Division also performs several quality control reviews of claims and claim decisions via Benefits Payment Control (BPC), Benefits Accuracy Measurements (BAM), Benefits Timeliness and Quality (BTQ), and internal Quality Assurance (QA) reviews. Claims are reviewed for such criteria as adequate support documentation, benefit payment accuracy, timely processing, and correct claim decision determination on all program integrity holds. The Green Book states in Section 10.14, ? If segregation of duties is not practical within an operational process because of limited personnel or other factors, management designs alternative control activities to address the risk of fraud, waste, or abuse in the operational process.? CDLE believes the reviews represent adequate and sufficient compensating controls for the need for segregation of duties on fraud holds. Changing the current process would hinder our ability to deliver UI benefit services timely to our customers and would put us in jeopardy of fulfilling our federal and state payment timeliness requirements. Auditor?s Addendum Segregating the duties between investigating and releasing a fraud hold in MyUI+ reduces the risk of an employee inappropriately and potentially fraudulently clearing the hold without conducting a proper investigation. The issues identified in our audit indicate that the Department?s current compensating controls did not identify that a current employee released fraud holds without a proper investigation. The Department should consider updating its procedures and processes to segregate these duties to reduce the risk of this occurring in the future.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Labor and Employment (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-063 Unemployment Insurance?Federal Reporting The Department?s Accounting Section is responsible for completing the following two federal financial reports for the UI program and ensuring the reports are accurate, complete, and submitted to the federal government by the required deadline. The Accounting Section uses bank statements and reports from the Colorado Operations Resource Engine (CORE), the State?s accounting system, to create a workbook with the information and uses that workbook to complete the reports. ? ETA 9130, Financial Status Report, UI Programs. This is a quarterly report used to report the Department?s UI program and administrative expenditures. Financial data is required to be reported cumulatively from grant inception through the end of the reporting period. ? ETA 2112, UI Financial Transaction Summary. This is a monthly report that is a summary of the UI program?s transactions, which account for all funds received in, passed through, or paid out of the state employment fund during the applicable month. The UI division is responsible for completing the following federal report for the UI program and ensuring the report is accurate, complete, and submitted to the federal government by the required timeline. The UI division uses data pulled from MyUI+, the UI claims and benefits system, to generate two reports to fill out the ETA 191 report, described as follows. ? ETA 191, Financial Status of UCFE/UCX. This is a quarterly report on the State?s unemployment compensation expenditures paid by the Department to former federal employees (UCFE) and ex-service members (UCX) who have filed with the Department for unemployment benefits, and total amount of benefits paid to claimants of specific federal agencies. The federal government uses this report to request reimbursement of UCFE and UCX benefit payments from federal and military agencies. The federal government reimburses the Department for these benefit payments. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls in place over and complied with federal reporting requirements for the UI program during Fiscal Year 2021. As part of our audit work, we gained an understanding of the Department?s procedures that were in place to prepare the federal reports. In addition, we reviewed four ETA 2112 reports and two ETA 191 reports submitted to the federal government for Fiscal Year 2021 to ensure they were accurate, complete, and submitted by the required deadline. We also requested the Department?s policies and procedures for completing the reports, as well as the Department?s supporting documentation for the reports. How were the results of the audit work measured? We measured the results of our audit against the following: In accordance with Uniform Guidance [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and terms and conditions of the federal award. In accordance with the OSC?s policy Internal Control System, state agencies shall use the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, as its framework for its system of internal control. Green Book, Paragraph OV4.08, Documentation Requirements, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. Green Book Paragraph 12.02, Documentation of Responsibilities through Policies, specifically indicates that management should document in their policies the internal control responsibilities of the organization. The U.S. Department of Labor Unemployment Insurance Handbook 401 (Handbook) states that the ETA 2112 is due the first day of the second month following the month that the data in the report represents. In addition, the Handbook states that the ETA 191 is due by the 25th of the month following the close of the quarter. What problems did the audit work identify? We identified issues with 2 of the 4 (50 percent) ETA 2112 reports we tested, and 1 of the 2 (50 percent) ETA 191 reports we tested. Specifically, we identified the following: ETA 2112. We identified four issues with the September 2020 report, as follows: ? The Department could not provide support for $50.6 million reported as federal tax withholding on the report. ? The Department could not provide documentation related to the FPUC deposits and disbursements reported on the report. Specifically, the Department reported FPUC deposits as $27.0 million and FPUC Disbursements as $28.4 million. Because the Department could not provide documentation, we could not determine the correct amounts that should have been reported. ? The Department overstated the deposit amount for the intra-account transfer line by $240.2 million. Specifically, the Department reported that the amount deposited during the month for the intra-account transfers was $378.1 million, but the supporting documentation we reviewed showed the deposits totaled $137.9 million. ? The Department submitted the report on November 5, 2020, or 3 days after the deadline of November 2, 2020. In the February 2021 report, we identified that the Department understated reimbursement benefits from nonprofits by $540,000, reimbursements from local governments by $1.1 million; and reimbursements from state government by $204,700. Finally, based on discussion with the Department, it does not protect the formulas in its ETA 2112 workbooks it uses to prepare the reports in order to prevent intentional or inadvertent changes to calculations. ETA 191. We identified two issues with the ETA 191 report for the quarter ended March 2021 report. First, the Department failed to appropriately correct a federal Department of Labor-identified error from the previous quarter for expenditures for military agencies. Specifically, the Department incorrectly adjusted the $1,089,761, by $2,100, which was an under correction of the error of $2,120. Second, the Department submitted the report on May 14, 2021, nearly a month after the April 16, 2021, deadline. Why did these problems occur? The Department did not have sufficient internal controls in place to ensure that the federal reports and associated documentation were accurate and complete during Fiscal Year 2021. Specifically, the Department does not have formal, documented policies for completing the reports or a requirement that the workbooks are protected. Although the Department has a procedure document that provides instructions on how to complete the federal reports, the procedures do not include a requirement for a supervisory review of these reports prior to submitting them to the federal government. Some of the errors we identified were due to the wrong information being input into the reports, which a review could have caught and corrected prior to the Department submitting the report to the federal government. Why do these problems matter? Strong internal controls over federal reporting, including formal, documented policies, protection of formulas in the workbooks used to prepare the reports to prevent intentional or inadvertent changes to calculations, and adequate supervisory review, are necessary to ensure that the Department is in compliance with federal reporting requirements. Errors in the federal reports could cause the users of these reports to rely on incorrect information. This could have a negative impact on the Department?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-063 The Department of Labor and Employment should strengthen its internal controls over federal reporting by developing, formally documenting, and implementing policies for completing its federal reports for the Unemployment Insurance program. These policies should require the workbooks used to prepare the reports to be protected and that a supervisory review occurs prior to submitting the reports to the federal government. Response Department of Labor and Employment Agree Implementation Date: March 2023 CDLE will continue to develop, formally document, and implement policies for completing its federal reports for the Unemployment Insurance program. These policies will require the workbooks used to prepare the reports to be protected, for the data to be substantiated, and will require supervisory review on a monthly basis prior to submitting the reports to the federal government.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-070 Unemployment Insurance Program Integrity Fraud Holds The Department?s UI Division is responsible for the administration and monitoring of Colorado?s UI programs, including the collection of unemployment premiums from employers, the payment of UI benefits to claimants, and the performance of audits and investigations of premiums and benefits to ensure they are properly paid. Employer-paid premiums are the primary source of funding for UI benefits. When an individual applies for UI benefits, they are called a claimant, and the application is called a claim. Each claimant creates an account in MyUI+, the Department?s unemployment benefit system, in order to apply for unemployment benefits. The Department reviews, or adjudicates, claims to ensure that claimants are eligible and entitled to receive UI benefits. As part of the adjudication process, wage checks for claimants are compared to employer reported wages submitted to the Department on a quarterly basis and the Department sends a notification to all employers that the claimant worked for within the last 18 months to determine the validity and reason for the claimant leaving the workplace. In addition, Department staff indicate that, on a weekly basis, they perform reviews to identify potential issues with a claimant?s ability and availability to work, and to determine whether the claimant is accurately reporting earned income. If information provided by an interested party, such as a former employer, relating to the reason for leaving the workforce does not agree to the claimant information, the Department follows up on the information and issues eligibility determinations, as appropriate. In Fiscal Year 2022, the Department paid $1.1 billion in UI benefits. The Department has processes and systems to detect and prevent identity theft related to UI benefits. For example, when the Department identifies a claim with characteristics that are indicators of fraud, it places a fraud hold (also known as a program integrity hold) on the claimant?s UI claim, which holds the claim for investigation and which prevents any future benefit payments to the claimant until the fraud hold is removed and eligibility is determined. For each fraud hold, the Department has to determine if the identity of the individual filing the claim matches the personally identifiable information used on the claim. Once that is verified, the Department then must verify that the individual did not make any false statements in order to establish program eligibility. The steps that the Department takes to resolve a fraud hold differ depending on the characteristics of the claim that caused the Department to question its legitimacy. If Department staff determine that the fraud hold was not legitimate, the Department clears the hold in MyUI+ and then proceeds with determining if the individual is eligible to receive UI benefits. The Department uses an automated system, called ID.me, as part of its identity verification process. ID.me is a federally-certified identity provider that assists the Department in verifying claimants? identity. In some instances, MyUI+ will clear the fraud hold if the claimant passes ID.me and the claim does not need further investigation. In other cases, the Department performs an investigation to determine if the fraud hold is legitimate, or if the hold was placed in error. According to the information in MyUI+, the Department cleared 54,047 fraud holds during Fiscal Year 2022 ? 44,936 were cleared through the ID.me process, and 9,111 were cleared by the Department. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls in place over fraud holds during Fiscal Year 2022, including whether only appropriate, authorized individuals cleared the fraud hold from MyUI+, and if the Department had adequate segregation of duties between staff investigating a fraud hold, and staff releasing the hold in MyUI+. As part of our audit work, we requested the Department?s policies and procedures for their investigation process and documentation used to support the Department?s investigations that resulted in clearing a fraud hold, and inquired how the Department determined who is authorized to release fraud holds from MyUI+. The Department?s documentation included case reports for the investigations and log notes from Salesforce, the Department?s software that is primarily used as a workflow management tool and documentation repository for UI claims requiring an investigation. We selected a sample of 60 of the 9,111 fraud holds that were cleared by the Department during Fiscal Year 2022 to determine if the Department performed an investigation prior to releasing the fraud hold in MyUI+. In addition, as part of our testing of the sample, we determined that 20 different Department staff cleared the 60 fraud holds in MyUI+; we performed testing to determine if those staff were authorized to clear the holds in MyUI+. How were the results of the audit work measured? We measured the results of our audit against the following: Section 7511, Part V, of the Employment Security Manual (ESM) requires state UI laws to include provisions for such methods of administration as are, within reason, calculated (1) to detect benefits paid through error by the state UI agency or through willful misrepresentation or error by the claimant or others, (2) to deter claimants from obtaining benefits through willful misrepresentation, and (3) to recover benefits overpaid under certain circumstances. These required functions are accomplished through designated staff responsible for promoting and maintaining the integrity of the UI program through prevention, detection, investigations, establishment, and recovery of overpayments. Designated staff also prepare cases for prosecution. The Department?s UI Investigation Procedures state that if Department staff determine that a fraud hold that they are investigating can be released in MyUI+, Department staff should write an event log note in Salesforce. Information security is the practice of protecting information by mitigating information risk. ISO 27001 Standard for Information Security Management Systems is the international standard for information security, and its best practice approach helps organizations manage their information security by addressing people, processes, and technology. User-access management has the following objectives: ? Ensure authorized user access ? Prevent unauthorized access to information systems Expanding on the objectives from ISO 27001, a broad set of business-level objectives for user-access management can be defined as follows: ? Allow only authorized users to have access to information and resources ? Restrict access to the least privileges required by these authorized users to fulfill their business role The federal Social Security Act [Section 303(a)(1), SSA], contains a merit-based system requirement for the UI program. Specifically, this section requires that, as a condition of receiving federal UI administrative grants, states must have laws that include ?provision for such methods of administration? that includes a merit system. A merit system is defined as the process of promoting and hiring government employees based on their ability to perform a job, rather than on their political connections. As part of this requirement, any position which involves the determination of whether or not a UI claimant will be paid, or which involves determining an employer's liability for contributions, must be ?merit staffed.? According to federal regulations [5 CFR 900.603, Standards For a Merit System of Personnel Administration], ?The quality of public service can be improved by the development of systems of personnel administration consistent with such merit principles as - (a) Recruiting, selecting, and advancing employees on the basis of their relative ability, knowledge, and skills, including open consideration of qualified applicants for initial appointment. (b) Providing equitable and adequate compensation. (c) Training employees, as needed, to assure high quality performance. (d) Retaining employees on the basis of the adequacy of their performance, correcting inadequate performance, and separating employees whose inadequate performance cannot be corrected?? The U. S. Department of Labor Unemployment Insurance Program Letter (UIPL) No. 12-01, states that only those employees considered as merit-staff can determine whether to pay or deny payment to a claim. Additionally, UIPL No. 12-01 Change 2 states that, ?Determinations of overpayments or fraud must be made by merit-staffed employees.? The Department?s SPP 1053 Code of Conduct, Ethics and Values Policy, Attachment A: Unemployment Insurance Ethics Policy states that employees are not permitted to do the following: ? Investigate or attempt to investigate suspected fraud unless it is within their assigned duties. ? Backdate a claim, transfer claim status retroactively (UI to UCFE, UCX to TRA, etc.), alter information provided by a claimant or employer, or change or defer a UI document due date without valid documentation or approval of the appropriate branch chief or UI Director. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 10.01 of the Green Book, the Department should design control activities to achieve objectives and respond to risks. Segregation of duties contribute to the design, implementation, and operating effectiveness of control activities. Under Paragraph 10.03 of the Green Book, the Department should divide or segregate key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets so that no one individual controls all key aspects of a transaction or event. What problems did the audit work identify? The Department did not comply with federal regulations or its own policies and procedures related to the clearing of fraud holds during Fiscal Year 2022. Specifically, we identified issues with 32 of the 60 (53 percent) fraud holds we tested, as follows: ? The Department cleared 12 of the 60 fraud holds tested (20 percent) without performing an investigation or providing evidence of the reasoning used to clear the hold. Specifically, when we asked for investigation documentation for the 12 fraud holds, the Department indicated these were cleared without an investigation, and there were no related log notes in Salesforce, as required. ? For 20 of the 48 cases in our sample (42 percent) for which the Department did conduct an investigation, it did not segregate the duty of investigating the fraud hold and clearing the fraud hold from MyUI+. Specifically, in these cases, only one person conducted the investigation, concluded on the investigation, and cleared the fraud hold in MyUI+. ? One of the 20 Department staff who cleared a portion (5 percent) of the 60 fraud holds we sampled was not authorized to clear fraud holds from MyUI+ because the individual was not considered to be merit-staffed. Further, this unauthorized individual cleared 11 of 12 fraud holds we identified above that did not have an investigation, as required. We also found that this individual cleared an additional 55 fraud holds outside of our sample during Fiscal Year 2022. Why did these problems occur? The Department did not have sufficient internal controls in place, including appropriate policies and procedures, to ensure it enforced compliance with federal and Department-level requirements regarding the clearing of UI fraud holds during Fiscal Year 2022, as follows: ? The Department did not ensure that all fraud hold claims cleared in MyUI+ had a related log note in Salesforce that explained the rationale for clearing the hold, or that there was an investigation performed over the fraud hold prior to it being cleared in MyUI+. Specifically, in 11 of the 12 instances, the Department?s controls failed to prevent non-merit staff from using their MyUI+ access inappropriately, and in the other instance, Department controls failed to ensure the UI claim was reviewed by the UI section that reviews fraud holds rather than the UI section that resolves non-fraud UI claims. The Department provided full, rather than read-only access to the non-merit, Executive Director?s Office?s staff member noted in our finding. UI management indicated that they gave the individual full access to MyUI+ during the height of the pandemic with the assumption that the individual would use such access in a read-only manner solely to review claim information for inquiries coming through the Executive Director's Office. According to UI Division leadership, after they identified that the individual had full access during Fiscal Year 2022, they changed the individual?s access to read-only in January 2022. ? The Department lacked policies regarding management override of controls related to the clearing of fraud holds, in order to prevent or appropriately manage those responsibilities. UI staff indicated that in some cases, the non-merit, Executive Director?s Office?s staff member noted in our finding would reach out to other staff within the UI Division to help escalate the MyUI+ fraud hold clearing process. In some of these instances, because of the position of the individual within the Executive Director?s Office, UI staff circumvented the normal escalation process and aided the individual with clearing the fraud hold. ? The Department?s current policies and procedures do not require segregation of duties between those staff who investigate a fraud hold, and those staff who remove the fraud hold in MyUI+. Why do these problems matter? Improper segregation of duties, including the separation of responsibilities for both investigating and clearing potential fraud holds, leaves the UI program vulnerable to fraudulent activity. Specifically, fraud risk increases if there is no segregation between the investigation and the actual clearing of the fraud hold from MyUI+ and, as a result, the same staff could inappropriately clear holds and initiate UI payments. Further, a lack of strong checks and balances within the UI program could erode the integrity of the program at large, ultimately negatively impacting public trust. Strong internal controls related to UI fraud are especially important given the large amount of funds that are paid by the Department for UI claims each year and the significant amount of fraudulent claims that are paid by the Department. For example, the Department recorded an estimated receivable for amounts due back to the Department of $45 million for fraudulently-obtained UI claims at June 30, 2022. Without strengthening its controls over UI claims and fraud holds, there is a risk that a significant amount of UI funds could continue to be paid out each year for fraudulently obtained UI claims. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-070 The Department of Labor and Employment (Department) should strengthen its internal controls over Unemployment Insurance (UI) program integrity holds by: A. Ensuring all fraud holds are properly investigated and documented with a log note in Salesforce that explains the rationale for releasing the claim, prior to releasing the claim in MyUI+. B. Adequately reviewing claims for a fraud indicator to ensure the hold is sent to the appropriate UI section for resolution. C. Ensuring Department staff are given the appropriate access in MyUI+ to prevent individuals from clearing fraud holds inappropriately and periodically monitoring access to ensure access levels remain appropriate. D. Instituting policies and procedures over management override of internal controls related to UI claims and providing staff training on those policies and procedures. This should include ensuring that UI staff are aware of the importance of following all procedures related to fraud holds and that any inappropriate requests or pressures are communicated through the appropriate channels. E. Updating its current policies and procedures to require segregation of duties between the investigation of a fraud hold and the release of a fraud hold in MyUI+ to ensure more than one person is involved in the fraud hold process from beginning to end. Response Department of Labor and Employment A. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department is moving all adjudication and investigation of program integrity holds into the MyUI+ system, so there will be one system of record. The Department will ensure that all program integrity holds have all documentation through adjudication and investigation, including log notes. The Department anticipates this to be fully implemented by July 2024. B. Agree Implementation Date: July 2024 The Department agrees with this finding. The department has modified processes to ensure all holds are only routed to the appropriate team to be adjudicated. In addition the Department is working to have all claims identified as fraud delivered in a workflow process in MyUI+ rather than the various processes in place now. Further the department is working with our MyUI+ system experts to implement new technology to strengthen and streamline the fraud indicator escalation process and systems within MyUI+. In working with our MyUI+ system experts, the Department anticipates this to be fully implemented by July 2024. C. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department will continue strengthening security in this area and internal procedures to periodically monitor the potential for internal fraud activities. Additionally, the Department will periodically monitor and review My UI+ access levels for appropriateness. In consultation with our MyUI+ systems experts, the Department anticipates this finding to be fully implemented by July 2024. D. Agree Implementation Date: July 2023 The Department agrees with this finding. The Department will reinforce and strengthen the ethics policies in yearly communication to staff and tighten escalation policies to ensure pressures and inappropriate requests are handled in accordance with guidelines. The Department anticipates this will be completed by July 2023. E. Disagree When a PI hold is identified as being highly suspicious for criminally fraudulent activity, it is routed to a specialized unit for review, thereby leaving the standard adjudication process. This is handled by passing the review to the UI Investigations and/or Criminal Enforcement (ICE) unit. The investigator performs their investigation and if no actual fraudulent activity is found they will release the hold. The UI Division also performs several quality control reviews of claims and claim decisions via Benefits Payment Control (BPC), Benefits Accuracy Measurements (BAM), Benefits Timeliness and Quality (BTQ), and internal Quality Assurance (QA) reviews. Claims are reviewed for such criteria as adequate support documentation, benefit payment accuracy, timely processing, and correct claim decision determination on all program integrity holds. The Green Book states in Section 10.14, ? If segregation of duties is not practical within an operational process because of limited personnel or other factors, management designs alternative control activities to address the risk of fraud, waste, or abuse in the operational process.? CDLE believes the reviews represent adequate and sufficient compensating controls for the need for segregation of duties on fraud holds. Changing the current process would hinder our ability to deliver UI benefit services timely to our customers and would put us in jeopardy of fulfilling our federal and state payment timeliness requirements. Auditor?s Addendum Segregating the duties between investigating and releasing a fraud hold in MyUI+ reduces the risk of an employee inappropriately and potentially fraudulently clearing the hold without conducting a proper investigation. The issues identified in our audit indicate that the Department?s current compensating controls did not identify that a current employee released fraud holds without a proper investigation. The Department should consider updating its procedures and processes to segregate these duties to reduce the risk of this occurring in the future.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Labor and Employment (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-063 Unemployment Insurance?Federal Reporting The Department?s Accounting Section is responsible for completing the following two federal financial reports for the UI program and ensuring the reports are accurate, complete, and submitted to the federal government by the required deadline. The Accounting Section uses bank statements and reports from the Colorado Operations Resource Engine (CORE), the State?s accounting system, to create a workbook with the information and uses that workbook to complete the reports. ? ETA 9130, Financial Status Report, UI Programs. This is a quarterly report used to report the Department?s UI program and administrative expenditures. Financial data is required to be reported cumulatively from grant inception through the end of the reporting period. ? ETA 2112, UI Financial Transaction Summary. This is a monthly report that is a summary of the UI program?s transactions, which account for all funds received in, passed through, or paid out of the state employment fund during the applicable month. The UI division is responsible for completing the following federal report for the UI program and ensuring the report is accurate, complete, and submitted to the federal government by the required timeline. The UI division uses data pulled from MyUI+, the UI claims and benefits system, to generate two reports to fill out the ETA 191 report, described as follows. ? ETA 191, Financial Status of UCFE/UCX. This is a quarterly report on the State?s unemployment compensation expenditures paid by the Department to former federal employees (UCFE) and ex-service members (UCX) who have filed with the Department for unemployment benefits, and total amount of benefits paid to claimants of specific federal agencies. The federal government uses this report to request reimbursement of UCFE and UCX benefit payments from federal and military agencies. The federal government reimburses the Department for these benefit payments. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls in place over and complied with federal reporting requirements for the UI program during Fiscal Year 2021. As part of our audit work, we gained an understanding of the Department?s procedures that were in place to prepare the federal reports. In addition, we reviewed four ETA 2112 reports and two ETA 191 reports submitted to the federal government for Fiscal Year 2021 to ensure they were accurate, complete, and submitted by the required deadline. We also requested the Department?s policies and procedures for completing the reports, as well as the Department?s supporting documentation for the reports. How were the results of the audit work measured? We measured the results of our audit against the following: In accordance with Uniform Guidance [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and terms and conditions of the federal award. In accordance with the OSC?s policy Internal Control System, state agencies shall use the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, as its framework for its system of internal control. Green Book, Paragraph OV4.08, Documentation Requirements, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. Green Book Paragraph 12.02, Documentation of Responsibilities through Policies, specifically indicates that management should document in their policies the internal control responsibilities of the organization. The U.S. Department of Labor Unemployment Insurance Handbook 401 (Handbook) states that the ETA 2112 is due the first day of the second month following the month that the data in the report represents. In addition, the Handbook states that the ETA 191 is due by the 25th of the month following the close of the quarter. What problems did the audit work identify? We identified issues with 2 of the 4 (50 percent) ETA 2112 reports we tested, and 1 of the 2 (50 percent) ETA 191 reports we tested. Specifically, we identified the following: ETA 2112. We identified four issues with the September 2020 report, as follows: ? The Department could not provide support for $50.6 million reported as federal tax withholding on the report. ? The Department could not provide documentation related to the FPUC deposits and disbursements reported on the report. Specifically, the Department reported FPUC deposits as $27.0 million and FPUC Disbursements as $28.4 million. Because the Department could not provide documentation, we could not determine the correct amounts that should have been reported. ? The Department overstated the deposit amount for the intra-account transfer line by $240.2 million. Specifically, the Department reported that the amount deposited during the month for the intra-account transfers was $378.1 million, but the supporting documentation we reviewed showed the deposits totaled $137.9 million. ? The Department submitted the report on November 5, 2020, or 3 days after the deadline of November 2, 2020. In the February 2021 report, we identified that the Department understated reimbursement benefits from nonprofits by $540,000, reimbursements from local governments by $1.1 million; and reimbursements from state government by $204,700. Finally, based on discussion with the Department, it does not protect the formulas in its ETA 2112 workbooks it uses to prepare the reports in order to prevent intentional or inadvertent changes to calculations. ETA 191. We identified two issues with the ETA 191 report for the quarter ended March 2021 report. First, the Department failed to appropriately correct a federal Department of Labor-identified error from the previous quarter for expenditures for military agencies. Specifically, the Department incorrectly adjusted the $1,089,761, by $2,100, which was an under correction of the error of $2,120. Second, the Department submitted the report on May 14, 2021, nearly a month after the April 16, 2021, deadline. Why did these problems occur? The Department did not have sufficient internal controls in place to ensure that the federal reports and associated documentation were accurate and complete during Fiscal Year 2021. Specifically, the Department does not have formal, documented policies for completing the reports or a requirement that the workbooks are protected. Although the Department has a procedure document that provides instructions on how to complete the federal reports, the procedures do not include a requirement for a supervisory review of these reports prior to submitting them to the federal government. Some of the errors we identified were due to the wrong information being input into the reports, which a review could have caught and corrected prior to the Department submitting the report to the federal government. Why do these problems matter? Strong internal controls over federal reporting, including formal, documented policies, protection of formulas in the workbooks used to prepare the reports to prevent intentional or inadvertent changes to calculations, and adequate supervisory review, are necessary to ensure that the Department is in compliance with federal reporting requirements. Errors in the federal reports could cause the users of these reports to rely on incorrect information. This could have a negative impact on the Department?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-063 The Department of Labor and Employment should strengthen its internal controls over federal reporting by developing, formally documenting, and implementing policies for completing its federal reports for the Unemployment Insurance program. These policies should require the workbooks used to prepare the reports to be protected and that a supervisory review occurs prior to submitting the reports to the federal government. Response Department of Labor and Employment Agree Implementation Date: March 2023 CDLE will continue to develop, formally document, and implement policies for completing its federal reports for the Unemployment Insurance program. These policies will require the workbooks used to prepare the reports to be protected, for the data to be substantiated, and will require supervisory review on a monthly basis prior to submitting the reports to the federal government.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-042 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In order to obtain this information, the federal government requires grant recipients to provide information to it. For example, the federal Department of Education (DOE) requires the Department to report information about subgrants, or subawards, it gives to other governments or to nonprofit organizations (also referred to as subrecipients) from the DOE grants it receives. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. The Department is specifically required to file FFATA reports through the FFATA Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department is required to file a FFATA report in the following circumstances: ? If the initial award is equal to or more than $30,000; ? If subsequent grant modifications result in a total award are equal to or more than $30,000; ? If the initial award is equal to or more than $30,000 but funding is subsequently de-obligated such that the total award amount falls below $30,000. The Department?s required FFATA reports for Fiscal Year 2022 included information on Title I Grants to Local Education Agencies [ALN 84.010] and COVID-19 Education Stabilization Fund (ESF) [84.425], specifically Elementary and Secondary School Emergency Relief (ESSER) Fund [84.425D] and American Rescue Plan - Elementary and Secondary School Emergency Relief (ARP ESSER) [84.425U]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for both programs in excess of $30,000. The Department is required to report the subaward information in FSRS no later than the end of the month following the month in which the award was made. According to the Department, during Fiscal Year 2022, it was required to submit and revise 180 and 450 FFATA reports for the Title I and ESF programs, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls over FFATA reporting during Fiscal Year 2022 and whether the information in the Department?s submitted FFATA reports was accurate and submitted in a timely manner. We requested a list of all Title I and ESF subawards made by the Department during Fiscal Year 2022. We then selected a sample of 18 Title I and 29 ESF subawards and requested copies of the FFATA reports that were uploaded to the FSRS system by the Department. The full FFATA reports are only accessible by the Department and are not fully viewable on FSRS. Once the Department provided copies of the uploaded reports, we then reviewed the FFATA reports within FSRS for each subaward selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of federal grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. The FFATA reports are required to include the following key data elements: ? Subrecipient name ? Subrecipient DUNS number ? Amount of subaward ? Subaward obligation/action date ? Date of report submission ? Subaward number ? Subaward project description ? Subrecipient names and compensation of highly compensated officers Transparency Act reporting requirements outlined on the FSRS website prescribe certain information that must be reported for these subawards, including the name of the entity receiving the award, the award amount, funding agency, and unique identifier of the entity. Federal regulations [2 CFR 200.303] require the non-Federal entity, in this instance the Department, to establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. What problems did the audit work identify? Based on our audit testwork, for the sample we tested, we determined that the Department was late in reporting all 18 of 18 Title I subawards in FSRS, by an average of 3 to 4 months, and failed to report 1 of 29 ESF subawards by the time of our audit, which represented a delay of approximately 16 months; and was late in reporting 2 of 29 ESF subawards by approximately 7 and 10 months, respectively. Collectively, these subawards totaled about $30 million for Fiscal Year 2022. The following tables summarize the results of our testing and group each exception within the following categories: Subaward Not Reported and Report Not Timely. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department reported that an influx in pandemic funding resulted in the Department experiencing a 233 percent volume increase in funding distributions and to more than 5,000 submissions and resubmissions in its required Fiscal Year 2022 FFATA reporting for all federal programs managed by the Department?s grant fiscal team. The Department indicated that its grant fiscal team also experienced staff turnover and vacancies during the year and the Department did not adequately reassign resources to ensure FFATA reporting requirements were identified and that reports were submitted on time. Initially, only one FTE was dedicated to FFATA reporting. During the year, the Department allocated a portion of the FFATA workload to another existing FTE and added an additional FTE in May 2022 to work on reconciling FFATA submissions; as a result, Department staff identified the two submissions previously missed, but the reallocations and reconciliations were not made in time to ensure the Department met all of its required FFATA report submission timelines. In addition, Department staff indicated that they made a conscious decision to not report the Title I subawards until May 2022?even though the initial subawards were finalized in January 2022?because the Department had historically received multiple funding allocations in addition to the initial allocation that required FFATA reporting for each allocation for up to 178 subawardees. However, the Department did not communicate with the federal awarding agency to determine whether waiting until it received all related allocations to submit its FFATA reports was appropriate. During the majority of Fiscal Year 2022, the Department also did not have a control, such as a reconciliation, to help identify subawards that went unreported during the fiscal year. Why do these problems matter? By failing to properly report FFATA subawards through FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, the Department fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-042 The Department of Education (Department) should strengthen its internal controls over, and ensure it complies with requirements under, the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Improving the Department?s process for determining the timing of reporting within the FFATA Subaward Reporting System. This process should include appropriately allocating staff resources for reporting responsibilities, and considerations such as expected future award allocations and communications with the federal awarding agency when it is determined to not be feasible to report information in a timely manner. B. Continuing to develop and implement reconciliation procedures to identify subawards that went unreported during the fiscal year. Response Department of Education A. Agree Implementation Date: December 31, 2022 We agree with this recommendation. In recent years, the Federal Government had multiple continuing resolutions in their budget process, resulting in CDE?s Title I allocations coming in multiple iterations. For the last several years, CDE has received revised allocations from the US Department of Education for the fiscal year as late as early summer; in one example, we received six revisions. With staffing shortages and the administrative burden to continuously revise, research issues and update FFATA for each allocation change, CDE took the step to report only the final allocation to FFATA, which was reported as of the month the awardee was awarded. However, the report was submitted later in the fiscal year. CDE will take a two-fold approach to rectify the issue related to the required FFATA reporting for Title I. First, we will report to FSRS the initial awards within 30 days following the date the awardee was provided final approval on their award. This is consistent with CDE?s approach to all other federal awards. Second, we will monitor the continuing resolutions and changes in allocations, and report only the net changes to each awardee, in the month those changes occur from the US Department of Education. Thereby, FSRS will represent the total revised award. In addition to this approach, all Title I awards will continue to be a part of our regular FFATA reconciliation process. B. Agree Implementation Date: December 31, 2022 We agree with this recommendation. CDE identified its own failure to report two ESSER subawards to FFATA within 30 days as part of the successful development and implementation of a FFATA-specific reconciliation process in Summer 2022. CDE will continue to refine and improve its FFATA reconciliation process.
Finding 2022-042 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In order to obtain this information, the federal government requires grant recipients to provide information to it. For example, the federal Department of Education (DOE) requires the Department to report information about subgrants, or subawards, it gives to other governments or to nonprofit organizations (also referred to as subrecipients) from the DOE grants it receives. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. The Department is specifically required to file FFATA reports through the FFATA Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department is required to file a FFATA report in the following circumstances: ? If the initial award is equal to or more than $30,000; ? If subsequent grant modifications result in a total award are equal to or more than $30,000; ? If the initial award is equal to or more than $30,000 but funding is subsequently de-obligated such that the total award amount falls below $30,000. The Department?s required FFATA reports for Fiscal Year 2022 included information on Title I Grants to Local Education Agencies [ALN 84.010] and COVID-19 Education Stabilization Fund (ESF) [84.425], specifically Elementary and Secondary School Emergency Relief (ESSER) Fund [84.425D] and American Rescue Plan - Elementary and Secondary School Emergency Relief (ARP ESSER) [84.425U]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for both programs in excess of $30,000. The Department is required to report the subaward information in FSRS no later than the end of the month following the month in which the award was made. According to the Department, during Fiscal Year 2022, it was required to submit and revise 180 and 450 FFATA reports for the Title I and ESF programs, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls over FFATA reporting during Fiscal Year 2022 and whether the information in the Department?s submitted FFATA reports was accurate and submitted in a timely manner. We requested a list of all Title I and ESF subawards made by the Department during Fiscal Year 2022. We then selected a sample of 18 Title I and 29 ESF subawards and requested copies of the FFATA reports that were uploaded to the FSRS system by the Department. The full FFATA reports are only accessible by the Department and are not fully viewable on FSRS. Once the Department provided copies of the uploaded reports, we then reviewed the FFATA reports within FSRS for each subaward selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of federal grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. The FFATA reports are required to include the following key data elements: ? Subrecipient name ? Subrecipient DUNS number ? Amount of subaward ? Subaward obligation/action date ? Date of report submission ? Subaward number ? Subaward project description ? Subrecipient names and compensation of highly compensated officers Transparency Act reporting requirements outlined on the FSRS website prescribe certain information that must be reported for these subawards, including the name of the entity receiving the award, the award amount, funding agency, and unique identifier of the entity. Federal regulations [2 CFR 200.303] require the non-Federal entity, in this instance the Department, to establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. What problems did the audit work identify? Based on our audit testwork, for the sample we tested, we determined that the Department was late in reporting all 18 of 18 Title I subawards in FSRS, by an average of 3 to 4 months, and failed to report 1 of 29 ESF subawards by the time of our audit, which represented a delay of approximately 16 months; and was late in reporting 2 of 29 ESF subawards by approximately 7 and 10 months, respectively. Collectively, these subawards totaled about $30 million for Fiscal Year 2022. The following tables summarize the results of our testing and group each exception within the following categories: Subaward Not Reported and Report Not Timely. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department reported that an influx in pandemic funding resulted in the Department experiencing a 233 percent volume increase in funding distributions and to more than 5,000 submissions and resubmissions in its required Fiscal Year 2022 FFATA reporting for all federal programs managed by the Department?s grant fiscal team. The Department indicated that its grant fiscal team also experienced staff turnover and vacancies during the year and the Department did not adequately reassign resources to ensure FFATA reporting requirements were identified and that reports were submitted on time. Initially, only one FTE was dedicated to FFATA reporting. During the year, the Department allocated a portion of the FFATA workload to another existing FTE and added an additional FTE in May 2022 to work on reconciling FFATA submissions; as a result, Department staff identified the two submissions previously missed, but the reallocations and reconciliations were not made in time to ensure the Department met all of its required FFATA report submission timelines. In addition, Department staff indicated that they made a conscious decision to not report the Title I subawards until May 2022?even though the initial subawards were finalized in January 2022?because the Department had historically received multiple funding allocations in addition to the initial allocation that required FFATA reporting for each allocation for up to 178 subawardees. However, the Department did not communicate with the federal awarding agency to determine whether waiting until it received all related allocations to submit its FFATA reports was appropriate. During the majority of Fiscal Year 2022, the Department also did not have a control, such as a reconciliation, to help identify subawards that went unreported during the fiscal year. Why do these problems matter? By failing to properly report FFATA subawards through FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, the Department fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-042 The Department of Education (Department) should strengthen its internal controls over, and ensure it complies with requirements under, the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Improving the Department?s process for determining the timing of reporting within the FFATA Subaward Reporting System. This process should include appropriately allocating staff resources for reporting responsibilities, and considerations such as expected future award allocations and communications with the federal awarding agency when it is determined to not be feasible to report information in a timely manner. B. Continuing to develop and implement reconciliation procedures to identify subawards that went unreported during the fiscal year. Response Department of Education A. Agree Implementation Date: December 31, 2022 We agree with this recommendation. In recent years, the Federal Government had multiple continuing resolutions in their budget process, resulting in CDE?s Title I allocations coming in multiple iterations. For the last several years, CDE has received revised allocations from the US Department of Education for the fiscal year as late as early summer; in one example, we received six revisions. With staffing shortages and the administrative burden to continuously revise, research issues and update FFATA for each allocation change, CDE took the step to report only the final allocation to FFATA, which was reported as of the month the awardee was awarded. However, the report was submitted later in the fiscal year. CDE will take a two-fold approach to rectify the issue related to the required FFATA reporting for Title I. First, we will report to FSRS the initial awards within 30 days following the date the awardee was provided final approval on their award. This is consistent with CDE?s approach to all other federal awards. Second, we will monitor the continuing resolutions and changes in allocations, and report only the net changes to each awardee, in the month those changes occur from the US Department of Education. Thereby, FSRS will represent the total revised award. In addition to this approach, all Title I awards will continue to be a part of our regular FFATA reconciliation process. B. Agree Implementation Date: December 31, 2022 We agree with this recommendation. CDE identified its own failure to report two ESSER subawards to FFATA within 30 days as part of the successful development and implementation of a FFATA-specific reconciliation process in Summer 2022. CDE will continue to refine and improve its FFATA reconciliation process.
Finding 2022-042 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In order to obtain this information, the federal government requires grant recipients to provide information to it. For example, the federal Department of Education (DOE) requires the Department to report information about subgrants, or subawards, it gives to other governments or to nonprofit organizations (also referred to as subrecipients) from the DOE grants it receives. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. The Department is specifically required to file FFATA reports through the FFATA Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department is required to file a FFATA report in the following circumstances: ? If the initial award is equal to or more than $30,000; ? If subsequent grant modifications result in a total award are equal to or more than $30,000; ? If the initial award is equal to or more than $30,000 but funding is subsequently de-obligated such that the total award amount falls below $30,000. The Department?s required FFATA reports for Fiscal Year 2022 included information on Title I Grants to Local Education Agencies [ALN 84.010] and COVID-19 Education Stabilization Fund (ESF) [84.425], specifically Elementary and Secondary School Emergency Relief (ESSER) Fund [84.425D] and American Rescue Plan - Elementary and Secondary School Emergency Relief (ARP ESSER) [84.425U]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for both programs in excess of $30,000. The Department is required to report the subaward information in FSRS no later than the end of the month following the month in which the award was made. According to the Department, during Fiscal Year 2022, it was required to submit and revise 180 and 450 FFATA reports for the Title I and ESF programs, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls over FFATA reporting during Fiscal Year 2022 and whether the information in the Department?s submitted FFATA reports was accurate and submitted in a timely manner. We requested a list of all Title I and ESF subawards made by the Department during Fiscal Year 2022. We then selected a sample of 18 Title I and 29 ESF subawards and requested copies of the FFATA reports that were uploaded to the FSRS system by the Department. The full FFATA reports are only accessible by the Department and are not fully viewable on FSRS. Once the Department provided copies of the uploaded reports, we then reviewed the FFATA reports within FSRS for each subaward selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of federal grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. The FFATA reports are required to include the following key data elements: ? Subrecipient name ? Subrecipient DUNS number ? Amount of subaward ? Subaward obligation/action date ? Date of report submission ? Subaward number ? Subaward project description ? Subrecipient names and compensation of highly compensated officers Transparency Act reporting requirements outlined on the FSRS website prescribe certain information that must be reported for these subawards, including the name of the entity receiving the award, the award amount, funding agency, and unique identifier of the entity. Federal regulations [2 CFR 200.303] require the non-Federal entity, in this instance the Department, to establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. What problems did the audit work identify? Based on our audit testwork, for the sample we tested, we determined that the Department was late in reporting all 18 of 18 Title I subawards in FSRS, by an average of 3 to 4 months, and failed to report 1 of 29 ESF subawards by the time of our audit, which represented a delay of approximately 16 months; and was late in reporting 2 of 29 ESF subawards by approximately 7 and 10 months, respectively. Collectively, these subawards totaled about $30 million for Fiscal Year 2022. The following tables summarize the results of our testing and group each exception within the following categories: Subaward Not Reported and Report Not Timely. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department reported that an influx in pandemic funding resulted in the Department experiencing a 233 percent volume increase in funding distributions and to more than 5,000 submissions and resubmissions in its required Fiscal Year 2022 FFATA reporting for all federal programs managed by the Department?s grant fiscal team. The Department indicated that its grant fiscal team also experienced staff turnover and vacancies during the year and the Department did not adequately reassign resources to ensure FFATA reporting requirements were identified and that reports were submitted on time. Initially, only one FTE was dedicated to FFATA reporting. During the year, the Department allocated a portion of the FFATA workload to another existing FTE and added an additional FTE in May 2022 to work on reconciling FFATA submissions; as a result, Department staff identified the two submissions previously missed, but the reallocations and reconciliations were not made in time to ensure the Department met all of its required FFATA report submission timelines. In addition, Department staff indicated that they made a conscious decision to not report the Title I subawards until May 2022?even though the initial subawards were finalized in January 2022?because the Department had historically received multiple funding allocations in addition to the initial allocation that required FFATA reporting for each allocation for up to 178 subawardees. However, the Department did not communicate with the federal awarding agency to determine whether waiting until it received all related allocations to submit its FFATA reports was appropriate. During the majority of Fiscal Year 2022, the Department also did not have a control, such as a reconciliation, to help identify subawards that went unreported during the fiscal year. Why do these problems matter? By failing to properly report FFATA subawards through FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, the Department fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-042 The Department of Education (Department) should strengthen its internal controls over, and ensure it complies with requirements under, the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Improving the Department?s process for determining the timing of reporting within the FFATA Subaward Reporting System. This process should include appropriately allocating staff resources for reporting responsibilities, and considerations such as expected future award allocations and communications with the federal awarding agency when it is determined to not be feasible to report information in a timely manner. B. Continuing to develop and implement reconciliation procedures to identify subawards that went unreported during the fiscal year. Response Department of Education A. Agree Implementation Date: December 31, 2022 We agree with this recommendation. In recent years, the Federal Government had multiple continuing resolutions in their budget process, resulting in CDE?s Title I allocations coming in multiple iterations. For the last several years, CDE has received revised allocations from the US Department of Education for the fiscal year as late as early summer; in one example, we received six revisions. With staffing shortages and the administrative burden to continuously revise, research issues and update FFATA for each allocation change, CDE took the step to report only the final allocation to FFATA, which was reported as of the month the awardee was awarded. However, the report was submitted later in the fiscal year. CDE will take a two-fold approach to rectify the issue related to the required FFATA reporting for Title I. First, we will report to FSRS the initial awards within 30 days following the date the awardee was provided final approval on their award. This is consistent with CDE?s approach to all other federal awards. Second, we will monitor the continuing resolutions and changes in allocations, and report only the net changes to each awardee, in the month those changes occur from the US Department of Education. Thereby, FSRS will represent the total revised award. In addition to this approach, all Title I awards will continue to be a part of our regular FFATA reconciliation process. B. Agree Implementation Date: December 31, 2022 We agree with this recommendation. CDE identified its own failure to report two ESSER subawards to FFATA within 30 days as part of the successful development and implementation of a FFATA-specific reconciliation process in Summer 2022. CDE will continue to refine and improve its FFATA reconciliation process.
Finding 2022-042 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In order to obtain this information, the federal government requires grant recipients to provide information to it. For example, the federal Department of Education (DOE) requires the Department to report information about subgrants, or subawards, it gives to other governments or to nonprofit organizations (also referred to as subrecipients) from the DOE grants it receives. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. The Department is specifically required to file FFATA reports through the FFATA Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department is required to file a FFATA report in the following circumstances: ? If the initial award is equal to or more than $30,000; ? If subsequent grant modifications result in a total award are equal to or more than $30,000; ? If the initial award is equal to or more than $30,000 but funding is subsequently de-obligated such that the total award amount falls below $30,000. The Department?s required FFATA reports for Fiscal Year 2022 included information on Title I Grants to Local Education Agencies [ALN 84.010] and COVID-19 Education Stabilization Fund (ESF) [84.425], specifically Elementary and Secondary School Emergency Relief (ESSER) Fund [84.425D] and American Rescue Plan - Elementary and Secondary School Emergency Relief (ARP ESSER) [84.425U]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for both programs in excess of $30,000. The Department is required to report the subaward information in FSRS no later than the end of the month following the month in which the award was made. According to the Department, during Fiscal Year 2022, it was required to submit and revise 180 and 450 FFATA reports for the Title I and ESF programs, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls over FFATA reporting during Fiscal Year 2022 and whether the information in the Department?s submitted FFATA reports was accurate and submitted in a timely manner. We requested a list of all Title I and ESF subawards made by the Department during Fiscal Year 2022. We then selected a sample of 18 Title I and 29 ESF subawards and requested copies of the FFATA reports that were uploaded to the FSRS system by the Department. The full FFATA reports are only accessible by the Department and are not fully viewable on FSRS. Once the Department provided copies of the uploaded reports, we then reviewed the FFATA reports within FSRS for each subaward selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of federal grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. The FFATA reports are required to include the following key data elements: ? Subrecipient name ? Subrecipient DUNS number ? Amount of subaward ? Subaward obligation/action date ? Date of report submission ? Subaward number ? Subaward project description ? Subrecipient names and compensation of highly compensated officers Transparency Act reporting requirements outlined on the FSRS website prescribe certain information that must be reported for these subawards, including the name of the entity receiving the award, the award amount, funding agency, and unique identifier of the entity. Federal regulations [2 CFR 200.303] require the non-Federal entity, in this instance the Department, to establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. What problems did the audit work identify? Based on our audit testwork, for the sample we tested, we determined that the Department was late in reporting all 18 of 18 Title I subawards in FSRS, by an average of 3 to 4 months, and failed to report 1 of 29 ESF subawards by the time of our audit, which represented a delay of approximately 16 months; and was late in reporting 2 of 29 ESF subawards by approximately 7 and 10 months, respectively. Collectively, these subawards totaled about $30 million for Fiscal Year 2022. The following tables summarize the results of our testing and group each exception within the following categories: Subaward Not Reported and Report Not Timely. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department reported that an influx in pandemic funding resulted in the Department experiencing a 233 percent volume increase in funding distributions and to more than 5,000 submissions and resubmissions in its required Fiscal Year 2022 FFATA reporting for all federal programs managed by the Department?s grant fiscal team. The Department indicated that its grant fiscal team also experienced staff turnover and vacancies during the year and the Department did not adequately reassign resources to ensure FFATA reporting requirements were identified and that reports were submitted on time. Initially, only one FTE was dedicated to FFATA reporting. During the year, the Department allocated a portion of the FFATA workload to another existing FTE and added an additional FTE in May 2022 to work on reconciling FFATA submissions; as a result, Department staff identified the two submissions previously missed, but the reallocations and reconciliations were not made in time to ensure the Department met all of its required FFATA report submission timelines. In addition, Department staff indicated that they made a conscious decision to not report the Title I subawards until May 2022?even though the initial subawards were finalized in January 2022?because the Department had historically received multiple funding allocations in addition to the initial allocation that required FFATA reporting for each allocation for up to 178 subawardees. However, the Department did not communicate with the federal awarding agency to determine whether waiting until it received all related allocations to submit its FFATA reports was appropriate. During the majority of Fiscal Year 2022, the Department also did not have a control, such as a reconciliation, to help identify subawards that went unreported during the fiscal year. Why do these problems matter? By failing to properly report FFATA subawards through FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, the Department fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-042 The Department of Education (Department) should strengthen its internal controls over, and ensure it complies with requirements under, the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Improving the Department?s process for determining the timing of reporting within the FFATA Subaward Reporting System. This process should include appropriately allocating staff resources for reporting responsibilities, and considerations such as expected future award allocations and communications with the federal awarding agency when it is determined to not be feasible to report information in a timely manner. B. Continuing to develop and implement reconciliation procedures to identify subawards that went unreported during the fiscal year. Response Department of Education A. Agree Implementation Date: December 31, 2022 We agree with this recommendation. In recent years, the Federal Government had multiple continuing resolutions in their budget process, resulting in CDE?s Title I allocations coming in multiple iterations. For the last several years, CDE has received revised allocations from the US Department of Education for the fiscal year as late as early summer; in one example, we received six revisions. With staffing shortages and the administrative burden to continuously revise, research issues and update FFATA for each allocation change, CDE took the step to report only the final allocation to FFATA, which was reported as of the month the awardee was awarded. However, the report was submitted later in the fiscal year. CDE will take a two-fold approach to rectify the issue related to the required FFATA reporting for Title I. First, we will report to FSRS the initial awards within 30 days following the date the awardee was provided final approval on their award. This is consistent with CDE?s approach to all other federal awards. Second, we will monitor the continuing resolutions and changes in allocations, and report only the net changes to each awardee, in the month those changes occur from the US Department of Education. Thereby, FSRS will represent the total revised award. In addition to this approach, all Title I awards will continue to be a part of our regular FFATA reconciliation process. B. Agree Implementation Date: December 31, 2022 We agree with this recommendation. CDE identified its own failure to report two ESSER subawards to FFATA within 30 days as part of the successful development and implementation of a FFATA-specific reconciliation process in Summer 2022. CDE will continue to refine and improve its FFATA reconciliation process.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.
Finding 2022-077 Cash Management The Department operates on a reimbursement basis with the federal government for a portion of its federal grant programs, expending state dollars for the federal programs prior to requesting reimbursement for the appropriate federal share. The reimbursement process is governed by the Cash Management Improvement Act of 1990 (CMIA) and 31 CFR Part 205 Part B, Rules and Procedures for Efficient Federal-State Funds Transfers (Transfer Rules), which prescribe specific methods and timeframes for drawing down federal funds. The purpose of CMIA and the Transfer Rules is to minimize the time period from when the State makes an expenditure for a federal program and when the federal reimbursement is received, so that neither the State nor the federal government incurs a loss of interest on the funds. This timeframe for requesting reimbursement is referred to as the ?draw pattern.? Under CMIA, the State must enter into a formal agreement, referred to as the ?Treasury-State Agreement,? (Agreement) with the U.S. Department of the Treasury to establish reimbursement schedules for selected federal programs that have been awarded to the State. In Colorado, the Department of Treasury (Treasury), on behalf of all departments in the State, enters into the Agreement with the U.S. Department of the Treasury. For Fiscal Year 2022, Colorado?s CMIA Agreement included 10 programs administered by various state agencies. The Department has one federal program that is included in the Agreement. Specifically, the Department?s Highway Planning and Construction [ALN 20.205] is included in this Agreement. During Fiscal Year 2022, the Department expended $510.0 million in Highway Planning and Construction funds. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over its cash draw process and to determine whether the Department was in compliance with CMIA for the Highway Planning and Construction program during Fiscal Year 2022. As part of our audit, we tested the Department?s internal controls and compliance over its cash management process for the Highway Planning and Construction program. We tested a sample of 25 expenditures and the related draws the Department made for the program during Fiscal Year 2022 and calculated the number of days between each sampled expenditure and related federal draw and compared our results to the CMIA requirements in place at the time the draw occurred. Within our sample, draws for nine of the expenditures were performed prior to October 13, when the 4-day draw pattern was in place; draws for 16 expenditures were performed after October 13 on the 5-day pattern. How were the results of the audit work measured? Under CMIA rules, draw patterns should be interest-neutral between the State?s expenditure and receipt of federal funds. We compared the results of our testwork against the regulations within the CMIA for payments clearing the State?s bank that should result in the receipt of the federal reimbursements within specific timeframe as noted below: The Agreement in place at the beginning of Fiscal Year 2022 specified a 4-day draw pattern for Highway Planning and Construction. Therefore, the time between when the Department?s expenditure was made and when federal funds were received should have been 4 days. In October 2021, however, the Department requested the draw pattern be changed from 4 days to 5 days. This request was approved by the U.S. Department of the Treasury on October 13, 2021. What problem did the audit work identify? We determined that the Department did not comply with the approved cash management draw patterns contained in the Agreements for the Highway Planning and Construction program for Fiscal Year 2022. Overall, 8 of the 25 draws (32 percent) were not made in accordance with the applicable Agreement, as follows: ? We noted that 6 of the 16 draws (38 percent) were not performed on the 5-day approved draw pattern in place after October 13, 2021 and instead, were performed on a 4-day draw pattern. ? We also noted that 2 of the 9 draws (22 percent) sampled from the first Agreement were not completed in accordance with the 4-day approved draw pattern in place prior to October 13, 2021 and, instead, were performed on a 5-day draw pattern. Why did this problem occur? The Department did not have appropriate internal controls over its federal grant cash management process during Fiscal Year 2022. Specifically, the Department conducted an analysis on the draw pattern for Highway Planning and Construction in early Fiscal Year 2022 and determined that its draws were occurring within 5 rather than 4 days, so the Department requested and received approval from the U.S. Department of the Treasury to change from a 4 day draw pattern to a 5-day draw pattern; however, the Department did not properly communicate the change in the Agreement for the Highway Planning and Construction?s draw pattern to the primary individuals responsible for preparing and approving the draws. As a result, the billing procedure was not updated to reflect the change in draw pattern, which led to the draws being out of compliance with the approved CMIA draw pattern. Why does this problem matter? The timing of draws for requesting federal funds impacts the interest neutral requirements under the CMIA. By drawing funds early, the Department creates a risk that the State my ultimately owe interest charges to the federal government. Further, the Department?s lack of strong cash management internal controls may result in delays in the identification of expenditures for which reimbursement has not been requested and therefore, funds upon which the State has lost interest. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-077 The Department Transportation (Department) should strengthen its internal controls and processes over and ensure that it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by: A. Ensuring that Department personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern applicable for the current fiscal year, including any federally-approved changes that occur during the year. B. Establishing procedures that specify draw request dates in relation to Program expenditures that ensure required draw patterns are met. Response Colorado Department of Transportation A. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with the federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by ensuring personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern for the applicable fiscal year in which the draws occur including federally-approved changes during the year. Personnel responsible for the draw will review the approved draw letter from the State Treasury with a secondary verification on the Federal Site, www.fiscal.treasury.gov/cmia/resources-treasury-state-agreements.hmtl for the specified timeframe before conducting the draw. B. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by establishing and maintaining formal procedures that specify the draw request dates in relation to the program expenditures to ensure required draw patterns are met. The process to implement changes to the cash draw pattern will be added to the draw procedure by March 2023.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-071 Federal Funding Accountability and Transparency Act The Department is responsible for administering two programs as part of the Employment Service Cluster: Employment Service/Wagner Peyser Funded Activities (Wagner) [ALN 17.207], and Jobs for Veterans State Grant (JSVG) [ALN 17.801]. The main overall purpose of these programs is to improve the functioning of the nation's labor markets by bringing together individuals who are seeking employment and employers who are seeking workers. The Wagner program provides a variety of services to job seekers, including career services and job search assistances; in addition, employers can access the program to post job orders and obtain qualified applicants. The JSVG provides federal funding through a formula grant to State Workforce Agencies (SWAs), including the Department, to hire dedicated staff to provide individualized career and training-related service to veterans and eligible individuals with significant barriers to employment, and to assist employers in filling their workforce needs with job-seeking veterans. The Department administers the programs and also passes Employment Service Cluster funds through to Colorado counties so they can help provide these services to individuals. The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for both programs within the Employment Service Cluster. The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In accordance with the Transparency Act, the Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? In Fiscal Year 2022, the Department made 11 subawards to 10 Colorado counties (subrecipients) for the Employment Service Cluster, $11.2 million in subawards to 10 counties for Wagner, and $45,116 in subawards to one county for JVSG, totaling $11.3 million. The Department is required to submit FFATA information through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Employment Service Cluster programs during Fiscal Year 2022. As part of our audit work, we requested the Department?s policies and procedures over FFATA reporting, the FFATA reports submitted by the Department in Fiscal Year 2022, and a list of all subawards made by the Department during Fiscal Year 2022. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170.330.l(a)], the Department is required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. What problem did the audit work identify? Based on our audit work, we determined that the Department did not comply with FFATA reporting requirements for the Employment Cluster and did not report any subawards in FSRS for Fiscal Year 2022. Specifically, we determined that the Department did not report $11.21 million in subawards to 10 subrecipients (the counties) for Wagner, and $45,116 in subawards to one county for JVSG. The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did this problem occur? The Department was not aware of the FFATA reporting requirement because it did not review the federal grant agreements to determine that the requirement was applicable for the program. Why does this problem matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, it fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-071 The Department of Labor and Employment should implement appropriate internal controls and related processes, such as detailed reviews of federal grant agreements, over the Employment Service Cluster to ensure that it is aware of, and in compliance with all federal reporting requirements, including requirements under the Federal Funding Accountability and Transparency Act of 2006. Response Department of Labor and Employment Agree Implementation Date: February 2023 By the implementation date, the Department of Labor and Employment (CDLE) will complete a review of grant agreements for reporting requirements, including the Federal Funding Accountability and Transparency Act of 2006. By the implementation date, the CDLE will develop and implement appropriate controls and processes to come into compliance with the reporting requirements and submit FFATA reports for the 10 entities identified in the audit.
Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.
Finding 2022-077 Cash Management The Department operates on a reimbursement basis with the federal government for a portion of its federal grant programs, expending state dollars for the federal programs prior to requesting reimbursement for the appropriate federal share. The reimbursement process is governed by the Cash Management Improvement Act of 1990 (CMIA) and 31 CFR Part 205 Part B, Rules and Procedures for Efficient Federal-State Funds Transfers (Transfer Rules), which prescribe specific methods and timeframes for drawing down federal funds. The purpose of CMIA and the Transfer Rules is to minimize the time period from when the State makes an expenditure for a federal program and when the federal reimbursement is received, so that neither the State nor the federal government incurs a loss of interest on the funds. This timeframe for requesting reimbursement is referred to as the ?draw pattern.? Under CMIA, the State must enter into a formal agreement, referred to as the ?Treasury-State Agreement,? (Agreement) with the U.S. Department of the Treasury to establish reimbursement schedules for selected federal programs that have been awarded to the State. In Colorado, the Department of Treasury (Treasury), on behalf of all departments in the State, enters into the Agreement with the U.S. Department of the Treasury. For Fiscal Year 2022, Colorado?s CMIA Agreement included 10 programs administered by various state agencies. The Department has one federal program that is included in the Agreement. Specifically, the Department?s Highway Planning and Construction [ALN 20.205] is included in this Agreement. During Fiscal Year 2022, the Department expended $510.0 million in Highway Planning and Construction funds. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over its cash draw process and to determine whether the Department was in compliance with CMIA for the Highway Planning and Construction program during Fiscal Year 2022. As part of our audit, we tested the Department?s internal controls and compliance over its cash management process for the Highway Planning and Construction program. We tested a sample of 25 expenditures and the related draws the Department made for the program during Fiscal Year 2022 and calculated the number of days between each sampled expenditure and related federal draw and compared our results to the CMIA requirements in place at the time the draw occurred. Within our sample, draws for nine of the expenditures were performed prior to October 13, when the 4-day draw pattern was in place; draws for 16 expenditures were performed after October 13 on the 5-day pattern. How were the results of the audit work measured? Under CMIA rules, draw patterns should be interest-neutral between the State?s expenditure and receipt of federal funds. We compared the results of our testwork against the regulations within the CMIA for payments clearing the State?s bank that should result in the receipt of the federal reimbursements within specific timeframe as noted below: The Agreement in place at the beginning of Fiscal Year 2022 specified a 4-day draw pattern for Highway Planning and Construction. Therefore, the time between when the Department?s expenditure was made and when federal funds were received should have been 4 days. In October 2021, however, the Department requested the draw pattern be changed from 4 days to 5 days. This request was approved by the U.S. Department of the Treasury on October 13, 2021. What problem did the audit work identify? We determined that the Department did not comply with the approved cash management draw patterns contained in the Agreements for the Highway Planning and Construction program for Fiscal Year 2022. Overall, 8 of the 25 draws (32 percent) were not made in accordance with the applicable Agreement, as follows: ? We noted that 6 of the 16 draws (38 percent) were not performed on the 5-day approved draw pattern in place after October 13, 2021 and instead, were performed on a 4-day draw pattern. ? We also noted that 2 of the 9 draws (22 percent) sampled from the first Agreement were not completed in accordance with the 4-day approved draw pattern in place prior to October 13, 2021 and, instead, were performed on a 5-day draw pattern. Why did this problem occur? The Department did not have appropriate internal controls over its federal grant cash management process during Fiscal Year 2022. Specifically, the Department conducted an analysis on the draw pattern for Highway Planning and Construction in early Fiscal Year 2022 and determined that its draws were occurring within 5 rather than 4 days, so the Department requested and received approval from the U.S. Department of the Treasury to change from a 4 day draw pattern to a 5-day draw pattern; however, the Department did not properly communicate the change in the Agreement for the Highway Planning and Construction?s draw pattern to the primary individuals responsible for preparing and approving the draws. As a result, the billing procedure was not updated to reflect the change in draw pattern, which led to the draws being out of compliance with the approved CMIA draw pattern. Why does this problem matter? The timing of draws for requesting federal funds impacts the interest neutral requirements under the CMIA. By drawing funds early, the Department creates a risk that the State my ultimately owe interest charges to the federal government. Further, the Department?s lack of strong cash management internal controls may result in delays in the identification of expenditures for which reimbursement has not been requested and therefore, funds upon which the State has lost interest. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-077 The Department Transportation (Department) should strengthen its internal controls and processes over and ensure that it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by: A. Ensuring that Department personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern applicable for the current fiscal year, including any federally-approved changes that occur during the year. B. Establishing procedures that specify draw request dates in relation to Program expenditures that ensure required draw patterns are met. Response Colorado Department of Transportation A. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with the federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by ensuring personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern for the applicable fiscal year in which the draws occur including federally-approved changes during the year. Personnel responsible for the draw will review the approved draw letter from the State Treasury with a secondary verification on the Federal Site, www.fiscal.treasury.gov/cmia/resources-treasury-state-agreements.hmtl for the specified timeframe before conducting the draw. B. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by establishing and maintaining formal procedures that specify the draw request dates in relation to the program expenditures to ensure required draw patterns are met. The process to implement changes to the cash draw pattern will be added to the draw procedure by March 2023.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-060 Misreporting of Federal Expenditures for the COVID-19 ?Pandemic EBT Food Benefits and Child Care and Development Block Grant on the Exhibit K1 Each year, the Department is required to prepare an exhibit containing the Department?s federal expenditures and related reimbursements to aid the Colorado Office of the State Controller (OSC) in the preparation of the State?s Schedule of Expenditures of Federal Awards (SEFA); this exhibit is referred to as the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 should include expenditures for grants received directly from the federal government and expended by the Department (direct expenditures), as well as expenditures for federal grants passed through by the Department to other State and/or non-State agencies (subrecipient expenditures). The SEFA is to be presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) to show the State?s expenditures of federal awards during the fiscal year. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Annually, the Department prepares its Exhibit K1 by following a process documented in its program accounting manual. First, program accountants review and analyze information from CORE for the federal Assistance Listing Number (ALN)?s related to the programs they support. The program accountants complete this review using a CORE report that the Department created, pulling transaction detail level data by ALN. Once the reviews and analysis are complete, the program accountants enter the information on the Department?s Exhibit K1 template for the correlating ALN. After the exhibit is prepared, the Department?s program accounting manual requires that it goes through two levels of review for accuracy. Once these reviews are completed, the Department submits the final Exhibit K1 to the OSC. The Department is also separately required within its approved State Plan for the COVID-19 ? Pandemic EBT Food Benefits program [ALN 10.542] (P-EBT) to report its P-EBT federal expenditures to the U.S. Department of Agriculture (USDA) via the Report of Disaster Food Stamp Benefit Issuance (FNS-292-B). The Department is also required to support the financial expenditures reported on the FNS-292-B report with source data and files, which includes a P-EBT Summary report that is exported from the Colorado Benefits Management System (CBMS) and includes the number of eligible children, number of eligible households, and total amount paid in P-EBT benefits. The P-EBT summary report is then reconciled by the Department to the County Financial Management System (CFMS), where the counties? issuance of P-EBT program benefits is accumulated and reported. For Fiscal Year 2021, the Department administered more than 70 federal programs and expended approximately $2.4 billion in federal funds. The P-EBT program and Child Care and Development Block Grant (Grant) [ALN 93.575] were two of these federal programs administered by the Department during Fiscal Year 2021. The Department reported more than $292 million in federal expenditures for the P-EBT program and approximately $74 million in federal expenditures for the Grant in Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the preparation of its Exhibit K1 during Fiscal Year 2021 and to determine whether the Department correctly reported its Fiscal Year 2021 federal grant expenditures to the OSC on its Exhibit K1. The purpose of our audit work was also to evaluate the Department?s internal controls over the financial reporting to the USDA regarding the P-EBT program. As part of our audit testwork, we compared amounts reported by the Department for direct and subrecipient federal expenditures on its Fiscal Year 2021 Exhibit K1 to the underlying financial records in CORE for the Grant and P-EBT federal programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the Exhibit K1 preparation, including supervisory reviews. We also reviewed 4 out of 12 Fiscal Year 2021 monthly submissions to the USDA for the FNS-292-B reports and compared federal expenditure amounts reported by the Department to the underlying financial records in CORE. How were the results of the audit work measured? The OSC is required to present the State?s SEFA in accordance with the federal requirements of the Uniform Guidance to show the State?s expenditures of federal awards during the fiscal year. Federal regulations [2 CFR 200.38(b)] define a federal award as, ?The instrument setting forth the terms and conditions. The instrument is the grant agreement, cooperative agreement, other agreement for assistance?? Federal regulations [2 CFR 200.510(b)(3) and (4)] require that the SEFA must show both total federal awards expended for each individual federal program, the Assistance Listing Number, and the total amount passed through to subrecipients for each federal program. In order to prepare the SEFA, the OSC requires state departments to submit an Exhibit K1 to report expenditures, receipts, and receivables for each federal grant program administered by the Department during the fiscal year. The OSC?s exhibit instructions include guidelines for completing the Exhibit K1, including defining ?direct and indirect expenditures? as ?all monetary and non-monetary direct and indirect Federal award expenditures,? and ?pass-through expenditures? as ?the amount of all monetary and non-monetary Federal award amounts passed through to a subrecipient.? For the Department?s Grant federal program, subrecipients consist of counties, school districts, and health centers. State Fiscal Rule 1-2, Internal Controls, requires that state departments ?implement internal accounting and administrative controls that reasonably ensure that financial transactions are accurate, reliable, conform to state fiscal rules, and reflect the underlying realities of the accounting transaction (substance rather than form).? Federal regulations [7 CFR 274.4] require the Department to submit an FNS-292-B report in the format prescribed by the USDA with information detailing the P-EBT federal benefit payments. The Department is required to support the information in the report with its underlying records. The FNS-292-B report is identified as a required report within the Department?s State Plan that is approved by the USDA. What problems did the audit work identify? The Department overstated $63.5 million in P-EBT expenditures on its June 2021 FNS-292-B report to USDA that was submitted on August 30, 2021, as well as on the Department?s Exhibit K1 for Fiscal Year 2021. The Department subsequently identified that the FNS-292-B report was misstated and updated and resubmitted the report on September 28, 2021, approximately one month later. The Department, however, did not update its Exhibit K1 for Fiscal Year 2021 to correct the error, because the program staff did not notify the accounting team of the misstatement and need for Exhibit K1 correction. Based on our audit testwork, we also determined that the Department misreported $8.7 million in the Grant?s expenditures as subrecipient, rather than direct, expenditures on its Exhibit K1. Why did these problems occur? The P-EBT program staff did not notify the Department?s accounting team, who prepares the Exhibit K1, of a revision to the FNS-292-B report. The P-EBT program staff prepared the reconciliation of the CBMS summary report to the CFMS P-EBT benefits issued report and identified a variance. The variance was eventually resolved and the P-EBT program staff resubmitted the FNS-292-B report to the USDA; however P-EBT program staff did not communicate this error to the Department?s accounting team. As a result, the accounting team was unaware of the revision and, therefore, did not update the Exhibit K1 to reflect the reduction in federal expenditures. Overall, the Department did not have adequate internal controls, such as an appropriate supervisory review process or adequate communication plan, in place for Fiscal Year 2021 to ensure that the FNS-292-B report was prepared accurately, that the Exhibit K1 was completed in accordance with the instructions provided by the OSC, and that the FNS-292-B and Exhibit K1 were reviewed for accuracy and compared to the underlying data. For the Grant program error, Department staff indicated that these funds were incorrectly identified and coded as subrecipient expenditures in CORE, which caused them to be incorrectly reported as such on the Exhibit K1. When the expenditures were initially posted in CORE, they were not adequately reviewed to determine if they were subrecipient or direct expenditures. Why do these problems matter? By failing to properly report grant expenditures to the federal government and the OSC, who ultimately then fails to properly report expenditures to the federal government on the State?s SEFA, the Department is out of compliance with federal and state reporting requirements and risks federal sanctions. In addition, because the error resulted in the Department misstating its federal expenditure results for the fiscal year, federal staff and taxpayers have an incorrect or unreliable picture of the P-EBT grant?s overall status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-060 The Department of Human Services (Department) should strengthen its internal controls over the preparation of federal reports and the Exhibit K1, Schedule of Federal Assistance, by: A. Strengthening its internal controls over its monthly Pandemic Electronic Benefit Transfer Food Benefits (P-EBT) reporting to ensure its reporting is accurate and goes through supervisory review. B. Improving communication between program and accounting staff to ensure the Exhibit K1 is accurately updated when errors in federal reporting are identified and resolved. C. Improving the supervisory review process over the Exhibit K1 and the federal expenditures entered in the Colorado Operations Resource Engine (CORE), the state?s accounting system, to ensure expenditures are coded correctly as direct or subrecipient expenditures and that, ultimately, the Exhibit K1 is accurate and complete. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees to enhance internal controls over monthly P-EBT reporting to better ensure accuracy. P-EBT is a new program derived from pandemic funding. Being a new program with a lack of federal guidance at implementation, and urgency to get the funds disbursed program staff had to learn about the nuances of the program and the reporting requirements as it was being implemented. During implementation we recognized that there are some inherent differences with P-EBT from other benefit programs which caused processes to have to be adjusted slightly. Additionally, timing of federal report filing for the P-EBT program is not in synch with our other processes and associated federal reporting requirements and deadlines. This makes it impossible to ensure reconciliation procedures are performed before filing occurs, which is one of our typical internal controls. As a compensating internal control CDHS will ensure that supervisory review processes are performed over P-EBT reporting, and that P-EBT reporting is reconciled to other sources (CBMS and CFMS) as soon as possible after reporting is available. If changes are discovered CDHS will make adjustments to filed P-EBT reports as needed based on reconciliation findings, and communicate changes to necessary parties. B. Agree Implementation Date: July 2022 CDHS will work to ensure better coordination between program activities and the accounting section relating to federal reporting changes. Accounting will iterate the importance of timely informing the accounting staff when changes are made to program filed federal reports. This message will be delivered in periodic fiscal meetings and identified on the closing calendar. The P-EBT program will ensure that corrections are communicated to accounting on any updates completed on the FNS-292-B report upon discovery, and no later than 30 days after the reporting period. C. Agree Implementation Date: July 2022 CDHS will ensure that review and approval processes are occurring as designed at various points in the process leading up to entry into CORE. As part of the Requisition (RQS) approval process program and accounting staff independently approve that the correct direct or subrecipient object code is used. These approved RQS transactions are then transitioned into encumbrance documents that drive which object code future expenditures will be booked to. For CCDF transactions related to this finding, both the OEC and Accounting teams inadvertently approved an incorrect object code in 4 RQS's. Staffing shortages coupled with a large increase in workload related to pandemic funding contributed to this oversight. To correct OEC and Accounting will train new staff, periodically familiarize themselves with the appropriate object codes, and perform quality assurance review over object codes before applying approval in CORE. The K1 is compiled from balances derived from expenditure data recorded in CORE. The compilation of the K1 relies on the fact that expenditure balances are accurate, and that prior reviews and approvals of individual transactions have occurred as designed. The K1 currently goes through various levels of review focusing on balance level validation coupled with analytical procedures. To enhance the review process, CDHS will ensure analytical procedures include line level expenditure comparison at the direct and subrecipient levels.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-061 The following findings and recommendations relating to internal control deficiencies classified as a Material Weakness and Significant Deficiency were communicated to the Department of Human Services (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-054 INTERNAL CONTROLS OVER FOOD DISTRIBUTION CLUSTER INVENTORY The Food Distribution Cluster (Cluster) is a group of federal grant programs designed to strengthen the nutrition safety net through the provision of donated foods from the U.S. Department of Agriculture (USDA) to low-income persons. The Department, as the state agency responsible for the administration of the Cluster programs, works with emergency feeding organizations throughout Colorado to provide households in need with food commodities through specific federal programs within the Cluster, including the Emergency Food Assistance Program (Emergency Food), and the Commodity Supplemental Food Program (Supplemental Food). Emergency Food (CFDA 10.568) is a federally funded program that provides USDA foods to low-income households for home consumption or for use in prepared meals at emergency feeding sites for low-income persons. The Department enters into contracts with three Regional Food Banks to serve Colorado?s 64 counties. The Department determines an allocation of the emergency foods to each Regional Food Bank. The Regional Food Banks place orders in the Web Supply Chain Management (Web Chain) system, a web-based software managed by the USDA, against their allocation and the USDA then ships the food to the Regional Food Bank?s warehouse. Emergency assistance bonus foods, which are foods the USDA purchases each year to support agricultural markets that entities can receive in addition to their allocation, are offered to each state based on each state?s fair share of the federal application, or on an open-order basis. The Regional Food Banks determine and provide household allocations of emergency food based on need, and provide congregate meals served at local food pantries and soup kitchens. The Regional Food Banks are required to submit physical inventory forms (Form 152) on a monthly basis to the Department and to provide a physical inventory verification on an annual basis. The Form 152 includes information regarding the receipt, disposal, and inventory of USDA Foods. Supplemental Food [CFDA No. 10.565] is a federally funded program that provides USDA foods to low-income seniors who are a minimum of 60 years of age. The Department works with six recipient agencies, including various counties, to ensure distribution in all 64 counties. The recipient agencies enter into contracts with the Department to administer the Supplemental Food program. The recipient agencies order USDA food through Web Chain. Each month, the recipient agencies are required to complete a Supplemental Food Monthly Inventory Form (Form 153) and submit it to the Department. Form 153 includes sections for reporting USDA food receipts, ending inventory, and number of recipients, along with other information. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to determine if the Department had sufficient internal controls over, and complied with, federal requirements for the Supplemental Food and Emergency Food programs, including whether the Department maintained accurate and complete records with respect to the receipt and inventory of USDA food commodities provided through the Supplemental Food and Emergency Food programs. During our audit, we requested to review any Supplemental Food and Emergency Food inventory reconciliations performed by the Department for Fiscal Year 2020, and requested and obtained the Department?s prepared fiscal year-end inventory summary reports. We also performed the following specific testing for each program: ? For Supplemental Food, we compared total shipment information reported by one food bank on its 12 monthly Form 153s to a Fiscal Year 2020 Web Chain report. ? For Emergency Food, we recalculated 12 monthly Form 152s submitted by one Regional Food Bank during Fiscal Year 2020 for accuracy. We also compared the Regional Food Bank?s fiscal year-end reported inventory from its Form 152 to the Department-prepared fiscal year-end inventory summary report and the Regional Food Bank?s reported Fiscal Year 2020 USDA Emergency Food receipts to a Fiscal Year 2020 Web Chain report. Lastly, we compared bonus food orders contained on a Department-prepared tracking sheet to a Web Chain report on a sample basis. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulations applicable to the Food Distribution Cluster programs [7 CFR 250.19(a)] require the Department, as a distributing agency, to keep complete records of donated foods. Failure to maintain these records shall be considered ?prima facie evidence of improper distribution or loss of donated foods.? The Department must ensure that ?restitution is made for the loss of donated foods, or for the loss or improper use of funds provided for, or obtained as an incident of, the distribution of donated foods? [7 CFR 250.16(a)]. The Department?s Emergency Assistance Policy and Procedure Manual states that the Regional Food Banks are required to maintain records documenting the receipt, disposal, and inventory of USDA-provided food, including records documenting distributions. The Department?s Supplemental Food Policy and Procedure Manual states that the recipient agencies must maintain complete and accurate records of USDA foods received and distributed. Federal regulations [2 CFR 200.303] require the Department, as a recipient of federal funds, to establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and performing reconciliations. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? Overall, the Department had not identified any of the errors or discrepancies we identified through our testing of both programs? inventory records or otherwise ensured they were investigated and corrected. Specifically: EMERGENCY FOOD PROGRAM ? For seven of the 12 Form 152s we tested, the forms contained calculation errors, resulting in miscalculations of the beginning balance of the inventory, quantity received or distributed, and ending balance of the inventory. ? The Regional Food Bank?s year-end Form 152 reported physical inventory of 50,306 cases, but the Department-prepared year-end inventory summary reported physical inventory of 27,000 cases, representing a discrepancy of 23,306 cases. We calculated an estimated dollar value for the discrepancy of approximately $578,000 by dividing the total value of orders received by the Food Bank during the fiscal year by the total number of cases ordered. ? The Regional Food Bank?s year-end Form 152 reported that it received 446,420 cases of USDA foods in Fiscal Year 2020, but the Web Chain report indicated that the Food Bank received 533,597 cases during Fiscal Year 2020; this represented a discrepancy and possible under-reporting of inventory by the Food Bank of 87,177 cases, totaling an estimated amount of approximately $2.2 million. ? Three of the nine (33 percent) sampled USDA foods listed on the Department?s bonus allocation report did not agree to bonus allocation orders listed on the Web Chain report. SUPPLEMENTAL FOOD PROGRAM ? The recipient agency?s Fiscal Year 2020 Form 153s reported that the recipient agency received a total of 1,618,498 Supplemental Food units, but the Web Chain Report indicated that the recipient agency received 1,705,160 units, which represented a discrepancy and possible underreporting of inventory by the recipient agency of 86,662 units, totaling an estimated amount of $127,000. WHY DID THESE PROBLEMS OCCUR? The Department lacks strong internal controls over its administration of the programs? inventories, including review and reconciliation policies and procedures. First, the Department does not have policies and related procedures requiring Department staff to review monthly inventory reports provided by recipient agencies and Regional Food Banks to ensure the information provided is accurate. Second, the Department does not have policies and related procedures requiring Department staff to perform reconciliations of physical inventory to the USDA Web Chain report to ensure inventory records are complete and accurate. Third, the Department does not have a tracking system to track recipient agencies and Regional Food Banks activities in the Web Chain system or supporting documentation. WHY DO THESE PROBLEMS MATTER? Lack of review and monitoring processes could result in the Department not maintaining complete and accurate inventory records and failing to comply with federal regulations. Ultimately, the Department risks the improper distribution or loss of USDA foods and could owe USDA for inventory shortages. By not having a proper tracking of inventory, this could also result in the Department not having sufficient food to provide to individuals in need of food assistance. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-054 The Department of Human Services (Department) should strengthen its internal controls over the Food Distribution Cluster?s U.S. Department of Agriculture foods inventory by: A Developing and implementing policies and procedures requiring Department staff to review monthly inventory reports received from recipient agencies and Regional Food Banks to ensure they are accurate. B Developing and implementing policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web Supply Chain Management system to ensure inventory records are complete and accurate. C Developing and implementing a tracking system to track recipient agencies and Regional Food Banks activities in the Web Supply Chain Management system and maintaining supporting documents. RESPONSE DEPARTMENT OF HUMAN SERVICES A AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories. B AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web-based Supply Chain Management system to ensure inventory records are complete and accurate. Starting in January 2021 the Department began developing a position description for an Inventory Specialist with the focus of ensuring accurate and thorough accounting of all year-end inventory and reconciliations. The position was hired in April 2021. Due to the implementation of the inventory database and the timing of beginning and ending inventories, the Department anticipates being able to do a full reconciliation of inventories by December 2022. C AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement a tracking system for food inventory at recipient agencies and Regional Food Banks using the Web Supply Chain Management system receipts as the basis of food received, including the maintenance of supporting documents. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-061 The following findings and recommendations relating to internal control deficiencies classified as a Material Weakness and Significant Deficiency were communicated to the Department of Human Services (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-054 INTERNAL CONTROLS OVER FOOD DISTRIBUTION CLUSTER INVENTORY The Food Distribution Cluster (Cluster) is a group of federal grant programs designed to strengthen the nutrition safety net through the provision of donated foods from the U.S. Department of Agriculture (USDA) to low-income persons. The Department, as the state agency responsible for the administration of the Cluster programs, works with emergency feeding organizations throughout Colorado to provide households in need with food commodities through specific federal programs within the Cluster, including the Emergency Food Assistance Program (Emergency Food), and the Commodity Supplemental Food Program (Supplemental Food). Emergency Food (CFDA 10.568) is a federally funded program that provides USDA foods to low-income households for home consumption or for use in prepared meals at emergency feeding sites for low-income persons. The Department enters into contracts with three Regional Food Banks to serve Colorado?s 64 counties. The Department determines an allocation of the emergency foods to each Regional Food Bank. The Regional Food Banks place orders in the Web Supply Chain Management (Web Chain) system, a web-based software managed by the USDA, against their allocation and the USDA then ships the food to the Regional Food Bank?s warehouse. Emergency assistance bonus foods, which are foods the USDA purchases each year to support agricultural markets that entities can receive in addition to their allocation, are offered to each state based on each state?s fair share of the federal application, or on an open-order basis. The Regional Food Banks determine and provide household allocations of emergency food based on need, and provide congregate meals served at local food pantries and soup kitchens. The Regional Food Banks are required to submit physical inventory forms (Form 152) on a monthly basis to the Department and to provide a physical inventory verification on an annual basis. The Form 152 includes information regarding the receipt, disposal, and inventory of USDA Foods. Supplemental Food [CFDA No. 10.565] is a federally funded program that provides USDA foods to low-income seniors who are a minimum of 60 years of age. The Department works with six recipient agencies, including various counties, to ensure distribution in all 64 counties. The recipient agencies enter into contracts with the Department to administer the Supplemental Food program. The recipient agencies order USDA food through Web Chain. Each month, the recipient agencies are required to complete a Supplemental Food Monthly Inventory Form (Form 153) and submit it to the Department. Form 153 includes sections for reporting USDA food receipts, ending inventory, and number of recipients, along with other information. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to determine if the Department had sufficient internal controls over, and complied with, federal requirements for the Supplemental Food and Emergency Food programs, including whether the Department maintained accurate and complete records with respect to the receipt and inventory of USDA food commodities provided through the Supplemental Food and Emergency Food programs. During our audit, we requested to review any Supplemental Food and Emergency Food inventory reconciliations performed by the Department for Fiscal Year 2020, and requested and obtained the Department?s prepared fiscal year-end inventory summary reports. We also performed the following specific testing for each program: ? For Supplemental Food, we compared total shipment information reported by one food bank on its 12 monthly Form 153s to a Fiscal Year 2020 Web Chain report. ? For Emergency Food, we recalculated 12 monthly Form 152s submitted by one Regional Food Bank during Fiscal Year 2020 for accuracy. We also compared the Regional Food Bank?s fiscal year-end reported inventory from its Form 152 to the Department-prepared fiscal year-end inventory summary report and the Regional Food Bank?s reported Fiscal Year 2020 USDA Emergency Food receipts to a Fiscal Year 2020 Web Chain report. Lastly, we compared bonus food orders contained on a Department-prepared tracking sheet to a Web Chain report on a sample basis. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulations applicable to the Food Distribution Cluster programs [7 CFR 250.19(a)] require the Department, as a distributing agency, to keep complete records of donated foods. Failure to maintain these records shall be considered ?prima facie evidence of improper distribution or loss of donated foods.? The Department must ensure that ?restitution is made for the loss of donated foods, or for the loss or improper use of funds provided for, or obtained as an incident of, the distribution of donated foods? [7 CFR 250.16(a)]. The Department?s Emergency Assistance Policy and Procedure Manual states that the Regional Food Banks are required to maintain records documenting the receipt, disposal, and inventory of USDA-provided food, including records documenting distributions. The Department?s Supplemental Food Policy and Procedure Manual states that the recipient agencies must maintain complete and accurate records of USDA foods received and distributed. Federal regulations [2 CFR 200.303] require the Department, as a recipient of federal funds, to establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and performing reconciliations. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? Overall, the Department had not identified any of the errors or discrepancies we identified through our testing of both programs? inventory records or otherwise ensured they were investigated and corrected. Specifically: EMERGENCY FOOD PROGRAM ? For seven of the 12 Form 152s we tested, the forms contained calculation errors, resulting in miscalculations of the beginning balance of the inventory, quantity received or distributed, and ending balance of the inventory. ? The Regional Food Bank?s year-end Form 152 reported physical inventory of 50,306 cases, but the Department-prepared year-end inventory summary reported physical inventory of 27,000 cases, representing a discrepancy of 23,306 cases. We calculated an estimated dollar value for the discrepancy of approximately $578,000 by dividing the total value of orders received by the Food Bank during the fiscal year by the total number of cases ordered. ? The Regional Food Bank?s year-end Form 152 reported that it received 446,420 cases of USDA foods in Fiscal Year 2020, but the Web Chain report indicated that the Food Bank received 533,597 cases during Fiscal Year 2020; this represented a discrepancy and possible under-reporting of inventory by the Food Bank of 87,177 cases, totaling an estimated amount of approximately $2.2 million. ? Three of the nine (33 percent) sampled USDA foods listed on the Department?s bonus allocation report did not agree to bonus allocation orders listed on the Web Chain report. SUPPLEMENTAL FOOD PROGRAM ? The recipient agency?s Fiscal Year 2020 Form 153s reported that the recipient agency received a total of 1,618,498 Supplemental Food units, but the Web Chain Report indicated that the recipient agency received 1,705,160 units, which represented a discrepancy and possible underreporting of inventory by the recipient agency of 86,662 units, totaling an estimated amount of $127,000. WHY DID THESE PROBLEMS OCCUR? The Department lacks strong internal controls over its administration of the programs? inventories, including review and reconciliation policies and procedures. First, the Department does not have policies and related procedures requiring Department staff to review monthly inventory reports provided by recipient agencies and Regional Food Banks to ensure the information provided is accurate. Second, the Department does not have policies and related procedures requiring Department staff to perform reconciliations of physical inventory to the USDA Web Chain report to ensure inventory records are complete and accurate. Third, the Department does not have a tracking system to track recipient agencies and Regional Food Banks activities in the Web Chain system or supporting documentation. WHY DO THESE PROBLEMS MATTER? Lack of review and monitoring processes could result in the Department not maintaining complete and accurate inventory records and failing to comply with federal regulations. Ultimately, the Department risks the improper distribution or loss of USDA foods and could owe USDA for inventory shortages. By not having a proper tracking of inventory, this could also result in the Department not having sufficient food to provide to individuals in need of food assistance. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-054 The Department of Human Services (Department) should strengthen its internal controls over the Food Distribution Cluster?s U.S. Department of Agriculture foods inventory by: A Developing and implementing policies and procedures requiring Department staff to review monthly inventory reports received from recipient agencies and Regional Food Banks to ensure they are accurate. B Developing and implementing policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web Supply Chain Management system to ensure inventory records are complete and accurate. C Developing and implementing a tracking system to track recipient agencies and Regional Food Banks activities in the Web Supply Chain Management system and maintaining supporting documents. RESPONSE DEPARTMENT OF HUMAN SERVICES A AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories. B AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web-based Supply Chain Management system to ensure inventory records are complete and accurate. Starting in January 2021 the Department began developing a position description for an Inventory Specialist with the focus of ensuring accurate and thorough accounting of all year-end inventory and reconciliations. The position was hired in April 2021. Due to the implementation of the inventory database and the timing of beginning and ending inventories, the Department anticipates being able to do a full reconciliation of inventories by December 2022. C AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement a tracking system for food inventory at recipient agencies and Regional Food Banks using the Web Supply Chain Management system receipts as the basis of food received, including the maintenance of supporting documents. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-061 The following findings and recommendations relating to internal control deficiencies classified as a Material Weakness and Significant Deficiency were communicated to the Department of Human Services (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-054 INTERNAL CONTROLS OVER FOOD DISTRIBUTION CLUSTER INVENTORY The Food Distribution Cluster (Cluster) is a group of federal grant programs designed to strengthen the nutrition safety net through the provision of donated foods from the U.S. Department of Agriculture (USDA) to low-income persons. The Department, as the state agency responsible for the administration of the Cluster programs, works with emergency feeding organizations throughout Colorado to provide households in need with food commodities through specific federal programs within the Cluster, including the Emergency Food Assistance Program (Emergency Food), and the Commodity Supplemental Food Program (Supplemental Food). Emergency Food (CFDA 10.568) is a federally funded program that provides USDA foods to low-income households for home consumption or for use in prepared meals at emergency feeding sites for low-income persons. The Department enters into contracts with three Regional Food Banks to serve Colorado?s 64 counties. The Department determines an allocation of the emergency foods to each Regional Food Bank. The Regional Food Banks place orders in the Web Supply Chain Management (Web Chain) system, a web-based software managed by the USDA, against their allocation and the USDA then ships the food to the Regional Food Bank?s warehouse. Emergency assistance bonus foods, which are foods the USDA purchases each year to support agricultural markets that entities can receive in addition to their allocation, are offered to each state based on each state?s fair share of the federal application, or on an open-order basis. The Regional Food Banks determine and provide household allocations of emergency food based on need, and provide congregate meals served at local food pantries and soup kitchens. The Regional Food Banks are required to submit physical inventory forms (Form 152) on a monthly basis to the Department and to provide a physical inventory verification on an annual basis. The Form 152 includes information regarding the receipt, disposal, and inventory of USDA Foods. Supplemental Food [CFDA No. 10.565] is a federally funded program that provides USDA foods to low-income seniors who are a minimum of 60 years of age. The Department works with six recipient agencies, including various counties, to ensure distribution in all 64 counties. The recipient agencies enter into contracts with the Department to administer the Supplemental Food program. The recipient agencies order USDA food through Web Chain. Each month, the recipient agencies are required to complete a Supplemental Food Monthly Inventory Form (Form 153) and submit it to the Department. Form 153 includes sections for reporting USDA food receipts, ending inventory, and number of recipients, along with other information. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to determine if the Department had sufficient internal controls over, and complied with, federal requirements for the Supplemental Food and Emergency Food programs, including whether the Department maintained accurate and complete records with respect to the receipt and inventory of USDA food commodities provided through the Supplemental Food and Emergency Food programs. During our audit, we requested to review any Supplemental Food and Emergency Food inventory reconciliations performed by the Department for Fiscal Year 2020, and requested and obtained the Department?s prepared fiscal year-end inventory summary reports. We also performed the following specific testing for each program: ? For Supplemental Food, we compared total shipment information reported by one food bank on its 12 monthly Form 153s to a Fiscal Year 2020 Web Chain report. ? For Emergency Food, we recalculated 12 monthly Form 152s submitted by one Regional Food Bank during Fiscal Year 2020 for accuracy. We also compared the Regional Food Bank?s fiscal year-end reported inventory from its Form 152 to the Department-prepared fiscal year-end inventory summary report and the Regional Food Bank?s reported Fiscal Year 2020 USDA Emergency Food receipts to a Fiscal Year 2020 Web Chain report. Lastly, we compared bonus food orders contained on a Department-prepared tracking sheet to a Web Chain report on a sample basis. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulations applicable to the Food Distribution Cluster programs [7 CFR 250.19(a)] require the Department, as a distributing agency, to keep complete records of donated foods. Failure to maintain these records shall be considered ?prima facie evidence of improper distribution or loss of donated foods.? The Department must ensure that ?restitution is made for the loss of donated foods, or for the loss or improper use of funds provided for, or obtained as an incident of, the distribution of donated foods? [7 CFR 250.16(a)]. The Department?s Emergency Assistance Policy and Procedure Manual states that the Regional Food Banks are required to maintain records documenting the receipt, disposal, and inventory of USDA-provided food, including records documenting distributions. The Department?s Supplemental Food Policy and Procedure Manual states that the recipient agencies must maintain complete and accurate records of USDA foods received and distributed. Federal regulations [2 CFR 200.303] require the Department, as a recipient of federal funds, to establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and performing reconciliations. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? Overall, the Department had not identified any of the errors or discrepancies we identified through our testing of both programs? inventory records or otherwise ensured they were investigated and corrected. Specifically: EMERGENCY FOOD PROGRAM ? For seven of the 12 Form 152s we tested, the forms contained calculation errors, resulting in miscalculations of the beginning balance of the inventory, quantity received or distributed, and ending balance of the inventory. ? The Regional Food Bank?s year-end Form 152 reported physical inventory of 50,306 cases, but the Department-prepared year-end inventory summary reported physical inventory of 27,000 cases, representing a discrepancy of 23,306 cases. We calculated an estimated dollar value for the discrepancy of approximately $578,000 by dividing the total value of orders received by the Food Bank during the fiscal year by the total number of cases ordered. ? The Regional Food Bank?s year-end Form 152 reported that it received 446,420 cases of USDA foods in Fiscal Year 2020, but the Web Chain report indicated that the Food Bank received 533,597 cases during Fiscal Year 2020; this represented a discrepancy and possible under-reporting of inventory by the Food Bank of 87,177 cases, totaling an estimated amount of approximately $2.2 million. ? Three of the nine (33 percent) sampled USDA foods listed on the Department?s bonus allocation report did not agree to bonus allocation orders listed on the Web Chain report. SUPPLEMENTAL FOOD PROGRAM ? The recipient agency?s Fiscal Year 2020 Form 153s reported that the recipient agency received a total of 1,618,498 Supplemental Food units, but the Web Chain Report indicated that the recipient agency received 1,705,160 units, which represented a discrepancy and possible underreporting of inventory by the recipient agency of 86,662 units, totaling an estimated amount of $127,000. WHY DID THESE PROBLEMS OCCUR? The Department lacks strong internal controls over its administration of the programs? inventories, including review and reconciliation policies and procedures. First, the Department does not have policies and related procedures requiring Department staff to review monthly inventory reports provided by recipient agencies and Regional Food Banks to ensure the information provided is accurate. Second, the Department does not have policies and related procedures requiring Department staff to perform reconciliations of physical inventory to the USDA Web Chain report to ensure inventory records are complete and accurate. Third, the Department does not have a tracking system to track recipient agencies and Regional Food Banks activities in the Web Chain system or supporting documentation. WHY DO THESE PROBLEMS MATTER? Lack of review and monitoring processes could result in the Department not maintaining complete and accurate inventory records and failing to comply with federal regulations. Ultimately, the Department risks the improper distribution or loss of USDA foods and could owe USDA for inventory shortages. By not having a proper tracking of inventory, this could also result in the Department not having sufficient food to provide to individuals in need of food assistance. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-054 The Department of Human Services (Department) should strengthen its internal controls over the Food Distribution Cluster?s U.S. Department of Agriculture foods inventory by: A Developing and implementing policies and procedures requiring Department staff to review monthly inventory reports received from recipient agencies and Regional Food Banks to ensure they are accurate. B Developing and implementing policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web Supply Chain Management system to ensure inventory records are complete and accurate. C Developing and implementing a tracking system to track recipient agencies and Regional Food Banks activities in the Web Supply Chain Management system and maintaining supporting documents. RESPONSE DEPARTMENT OF HUMAN SERVICES A AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories. B AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web-based Supply Chain Management system to ensure inventory records are complete and accurate. Starting in January 2021 the Department began developing a position description for an Inventory Specialist with the focus of ensuring accurate and thorough accounting of all year-end inventory and reconciliations. The position was hired in April 2021. Due to the implementation of the inventory database and the timing of beginning and ending inventories, the Department anticipates being able to do a full reconciliation of inventories by December 2022. C AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement a tracking system for food inventory at recipient agencies and Regional Food Banks using the Web Supply Chain Management system receipts as the basis of food received, including the maintenance of supporting documents. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-061 The following findings and recommendations relating to internal control deficiencies classified as a Material Weakness and Significant Deficiency were communicated to the Department of Human Services (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-054 INTERNAL CONTROLS OVER FOOD DISTRIBUTION CLUSTER INVENTORY The Food Distribution Cluster (Cluster) is a group of federal grant programs designed to strengthen the nutrition safety net through the provision of donated foods from the U.S. Department of Agriculture (USDA) to low-income persons. The Department, as the state agency responsible for the administration of the Cluster programs, works with emergency feeding organizations throughout Colorado to provide households in need with food commodities through specific federal programs within the Cluster, including the Emergency Food Assistance Program (Emergency Food), and the Commodity Supplemental Food Program (Supplemental Food). Emergency Food (CFDA 10.568) is a federally funded program that provides USDA foods to low-income households for home consumption or for use in prepared meals at emergency feeding sites for low-income persons. The Department enters into contracts with three Regional Food Banks to serve Colorado?s 64 counties. The Department determines an allocation of the emergency foods to each Regional Food Bank. The Regional Food Banks place orders in the Web Supply Chain Management (Web Chain) system, a web-based software managed by the USDA, against their allocation and the USDA then ships the food to the Regional Food Bank?s warehouse. Emergency assistance bonus foods, which are foods the USDA purchases each year to support agricultural markets that entities can receive in addition to their allocation, are offered to each state based on each state?s fair share of the federal application, or on an open-order basis. The Regional Food Banks determine and provide household allocations of emergency food based on need, and provide congregate meals served at local food pantries and soup kitchens. The Regional Food Banks are required to submit physical inventory forms (Form 152) on a monthly basis to the Department and to provide a physical inventory verification on an annual basis. The Form 152 includes information regarding the receipt, disposal, and inventory of USDA Foods. Supplemental Food [CFDA No. 10.565] is a federally funded program that provides USDA foods to low-income seniors who are a minimum of 60 years of age. The Department works with six recipient agencies, including various counties, to ensure distribution in all 64 counties. The recipient agencies enter into contracts with the Department to administer the Supplemental Food program. The recipient agencies order USDA food through Web Chain. Each month, the recipient agencies are required to complete a Supplemental Food Monthly Inventory Form (Form 153) and submit it to the Department. Form 153 includes sections for reporting USDA food receipts, ending inventory, and number of recipients, along with other information. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to determine if the Department had sufficient internal controls over, and complied with, federal requirements for the Supplemental Food and Emergency Food programs, including whether the Department maintained accurate and complete records with respect to the receipt and inventory of USDA food commodities provided through the Supplemental Food and Emergency Food programs. During our audit, we requested to review any Supplemental Food and Emergency Food inventory reconciliations performed by the Department for Fiscal Year 2020, and requested and obtained the Department?s prepared fiscal year-end inventory summary reports. We also performed the following specific testing for each program: ? For Supplemental Food, we compared total shipment information reported by one food bank on its 12 monthly Form 153s to a Fiscal Year 2020 Web Chain report. ? For Emergency Food, we recalculated 12 monthly Form 152s submitted by one Regional Food Bank during Fiscal Year 2020 for accuracy. We also compared the Regional Food Bank?s fiscal year-end reported inventory from its Form 152 to the Department-prepared fiscal year-end inventory summary report and the Regional Food Bank?s reported Fiscal Year 2020 USDA Emergency Food receipts to a Fiscal Year 2020 Web Chain report. Lastly, we compared bonus food orders contained on a Department-prepared tracking sheet to a Web Chain report on a sample basis. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulations applicable to the Food Distribution Cluster programs [7 CFR 250.19(a)] require the Department, as a distributing agency, to keep complete records of donated foods. Failure to maintain these records shall be considered ?prima facie evidence of improper distribution or loss of donated foods.? The Department must ensure that ?restitution is made for the loss of donated foods, or for the loss or improper use of funds provided for, or obtained as an incident of, the distribution of donated foods? [7 CFR 250.16(a)]. The Department?s Emergency Assistance Policy and Procedure Manual states that the Regional Food Banks are required to maintain records documenting the receipt, disposal, and inventory of USDA-provided food, including records documenting distributions. The Department?s Supplemental Food Policy and Procedure Manual states that the recipient agencies must maintain complete and accurate records of USDA foods received and distributed. Federal regulations [2 CFR 200.303] require the Department, as a recipient of federal funds, to establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and performing reconciliations. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? Overall, the Department had not identified any of the errors or discrepancies we identified through our testing of both programs? inventory records or otherwise ensured they were investigated and corrected. Specifically: EMERGENCY FOOD PROGRAM ? For seven of the 12 Form 152s we tested, the forms contained calculation errors, resulting in miscalculations of the beginning balance of the inventory, quantity received or distributed, and ending balance of the inventory. ? The Regional Food Bank?s year-end Form 152 reported physical inventory of 50,306 cases, but the Department-prepared year-end inventory summary reported physical inventory of 27,000 cases, representing a discrepancy of 23,306 cases. We calculated an estimated dollar value for the discrepancy of approximately $578,000 by dividing the total value of orders received by the Food Bank during the fiscal year by the total number of cases ordered. ? The Regional Food Bank?s year-end Form 152 reported that it received 446,420 cases of USDA foods in Fiscal Year 2020, but the Web Chain report indicated that the Food Bank received 533,597 cases during Fiscal Year 2020; this represented a discrepancy and possible under-reporting of inventory by the Food Bank of 87,177 cases, totaling an estimated amount of approximately $2.2 million. ? Three of the nine (33 percent) sampled USDA foods listed on the Department?s bonus allocation report did not agree to bonus allocation orders listed on the Web Chain report. SUPPLEMENTAL FOOD PROGRAM ? The recipient agency?s Fiscal Year 2020 Form 153s reported that the recipient agency received a total of 1,618,498 Supplemental Food units, but the Web Chain Report indicated that the recipient agency received 1,705,160 units, which represented a discrepancy and possible underreporting of inventory by the recipient agency of 86,662 units, totaling an estimated amount of $127,000. WHY DID THESE PROBLEMS OCCUR? The Department lacks strong internal controls over its administration of the programs? inventories, including review and reconciliation policies and procedures. First, the Department does not have policies and related procedures requiring Department staff to review monthly inventory reports provided by recipient agencies and Regional Food Banks to ensure the information provided is accurate. Second, the Department does not have policies and related procedures requiring Department staff to perform reconciliations of physical inventory to the USDA Web Chain report to ensure inventory records are complete and accurate. Third, the Department does not have a tracking system to track recipient agencies and Regional Food Banks activities in the Web Chain system or supporting documentation. WHY DO THESE PROBLEMS MATTER? Lack of review and monitoring processes could result in the Department not maintaining complete and accurate inventory records and failing to comply with federal regulations. Ultimately, the Department risks the improper distribution or loss of USDA foods and could owe USDA for inventory shortages. By not having a proper tracking of inventory, this could also result in the Department not having sufficient food to provide to individuals in need of food assistance. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-054 The Department of Human Services (Department) should strengthen its internal controls over the Food Distribution Cluster?s U.S. Department of Agriculture foods inventory by: A Developing and implementing policies and procedures requiring Department staff to review monthly inventory reports received from recipient agencies and Regional Food Banks to ensure they are accurate. B Developing and implementing policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web Supply Chain Management system to ensure inventory records are complete and accurate. C Developing and implementing a tracking system to track recipient agencies and Regional Food Banks activities in the Web Supply Chain Management system and maintaining supporting documents. RESPONSE DEPARTMENT OF HUMAN SERVICES A AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories. B AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web-based Supply Chain Management system to ensure inventory records are complete and accurate. Starting in January 2021 the Department began developing a position description for an Inventory Specialist with the focus of ensuring accurate and thorough accounting of all year-end inventory and reconciliations. The position was hired in April 2021. Due to the implementation of the inventory database and the timing of beginning and ending inventories, the Department anticipates being able to do a full reconciliation of inventories by December 2022. C AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement a tracking system for food inventory at recipient agencies and Regional Food Banks using the Web Supply Chain Management system receipts as the basis of food received, including the maintenance of supporting documents. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-060 Misreporting of Federal Expenditures for the COVID-19 ?Pandemic EBT Food Benefits and Child Care and Development Block Grant on the Exhibit K1 Each year, the Department is required to prepare an exhibit containing the Department?s federal expenditures and related reimbursements to aid the Colorado Office of the State Controller (OSC) in the preparation of the State?s Schedule of Expenditures of Federal Awards (SEFA); this exhibit is referred to as the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 should include expenditures for grants received directly from the federal government and expended by the Department (direct expenditures), as well as expenditures for federal grants passed through by the Department to other State and/or non-State agencies (subrecipient expenditures). The SEFA is to be presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) to show the State?s expenditures of federal awards during the fiscal year. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Annually, the Department prepares its Exhibit K1 by following a process documented in its program accounting manual. First, program accountants review and analyze information from CORE for the federal Assistance Listing Number (ALN)?s related to the programs they support. The program accountants complete this review using a CORE report that the Department created, pulling transaction detail level data by ALN. Once the reviews and analysis are complete, the program accountants enter the information on the Department?s Exhibit K1 template for the correlating ALN. After the exhibit is prepared, the Department?s program accounting manual requires that it goes through two levels of review for accuracy. Once these reviews are completed, the Department submits the final Exhibit K1 to the OSC. The Department is also separately required within its approved State Plan for the COVID-19 ? Pandemic EBT Food Benefits program [ALN 10.542] (P-EBT) to report its P-EBT federal expenditures to the U.S. Department of Agriculture (USDA) via the Report of Disaster Food Stamp Benefit Issuance (FNS-292-B). The Department is also required to support the financial expenditures reported on the FNS-292-B report with source data and files, which includes a P-EBT Summary report that is exported from the Colorado Benefits Management System (CBMS) and includes the number of eligible children, number of eligible households, and total amount paid in P-EBT benefits. The P-EBT summary report is then reconciled by the Department to the County Financial Management System (CFMS), where the counties? issuance of P-EBT program benefits is accumulated and reported. For Fiscal Year 2021, the Department administered more than 70 federal programs and expended approximately $2.4 billion in federal funds. The P-EBT program and Child Care and Development Block Grant (Grant) [ALN 93.575] were two of these federal programs administered by the Department during Fiscal Year 2021. The Department reported more than $292 million in federal expenditures for the P-EBT program and approximately $74 million in federal expenditures for the Grant in Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the preparation of its Exhibit K1 during Fiscal Year 2021 and to determine whether the Department correctly reported its Fiscal Year 2021 federal grant expenditures to the OSC on its Exhibit K1. The purpose of our audit work was also to evaluate the Department?s internal controls over the financial reporting to the USDA regarding the P-EBT program. As part of our audit testwork, we compared amounts reported by the Department for direct and subrecipient federal expenditures on its Fiscal Year 2021 Exhibit K1 to the underlying financial records in CORE for the Grant and P-EBT federal programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the Exhibit K1 preparation, including supervisory reviews. We also reviewed 4 out of 12 Fiscal Year 2021 monthly submissions to the USDA for the FNS-292-B reports and compared federal expenditure amounts reported by the Department to the underlying financial records in CORE. How were the results of the audit work measured? The OSC is required to present the State?s SEFA in accordance with the federal requirements of the Uniform Guidance to show the State?s expenditures of federal awards during the fiscal year. Federal regulations [2 CFR 200.38(b)] define a federal award as, ?The instrument setting forth the terms and conditions. The instrument is the grant agreement, cooperative agreement, other agreement for assistance?? Federal regulations [2 CFR 200.510(b)(3) and (4)] require that the SEFA must show both total federal awards expended for each individual federal program, the Assistance Listing Number, and the total amount passed through to subrecipients for each federal program. In order to prepare the SEFA, the OSC requires state departments to submit an Exhibit K1 to report expenditures, receipts, and receivables for each federal grant program administered by the Department during the fiscal year. The OSC?s exhibit instructions include guidelines for completing the Exhibit K1, including defining ?direct and indirect expenditures? as ?all monetary and non-monetary direct and indirect Federal award expenditures,? and ?pass-through expenditures? as ?the amount of all monetary and non-monetary Federal award amounts passed through to a subrecipient.? For the Department?s Grant federal program, subrecipients consist of counties, school districts, and health centers. State Fiscal Rule 1-2, Internal Controls, requires that state departments ?implement internal accounting and administrative controls that reasonably ensure that financial transactions are accurate, reliable, conform to state fiscal rules, and reflect the underlying realities of the accounting transaction (substance rather than form).? Federal regulations [7 CFR 274.4] require the Department to submit an FNS-292-B report in the format prescribed by the USDA with information detailing the P-EBT federal benefit payments. The Department is required to support the information in the report with its underlying records. The FNS-292-B report is identified as a required report within the Department?s State Plan that is approved by the USDA. What problems did the audit work identify? The Department overstated $63.5 million in P-EBT expenditures on its June 2021 FNS-292-B report to USDA that was submitted on August 30, 2021, as well as on the Department?s Exhibit K1 for Fiscal Year 2021. The Department subsequently identified that the FNS-292-B report was misstated and updated and resubmitted the report on September 28, 2021, approximately one month later. The Department, however, did not update its Exhibit K1 for Fiscal Year 2021 to correct the error, because the program staff did not notify the accounting team of the misstatement and need for Exhibit K1 correction. Based on our audit testwork, we also determined that the Department misreported $8.7 million in the Grant?s expenditures as subrecipient, rather than direct, expenditures on its Exhibit K1. Why did these problems occur? The P-EBT program staff did not notify the Department?s accounting team, who prepares the Exhibit K1, of a revision to the FNS-292-B report. The P-EBT program staff prepared the reconciliation of the CBMS summary report to the CFMS P-EBT benefits issued report and identified a variance. The variance was eventually resolved and the P-EBT program staff resubmitted the FNS-292-B report to the USDA; however P-EBT program staff did not communicate this error to the Department?s accounting team. As a result, the accounting team was unaware of the revision and, therefore, did not update the Exhibit K1 to reflect the reduction in federal expenditures. Overall, the Department did not have adequate internal controls, such as an appropriate supervisory review process or adequate communication plan, in place for Fiscal Year 2021 to ensure that the FNS-292-B report was prepared accurately, that the Exhibit K1 was completed in accordance with the instructions provided by the OSC, and that the FNS-292-B and Exhibit K1 were reviewed for accuracy and compared to the underlying data. For the Grant program error, Department staff indicated that these funds were incorrectly identified and coded as subrecipient expenditures in CORE, which caused them to be incorrectly reported as such on the Exhibit K1. When the expenditures were initially posted in CORE, they were not adequately reviewed to determine if they were subrecipient or direct expenditures. Why do these problems matter? By failing to properly report grant expenditures to the federal government and the OSC, who ultimately then fails to properly report expenditures to the federal government on the State?s SEFA, the Department is out of compliance with federal and state reporting requirements and risks federal sanctions. In addition, because the error resulted in the Department misstating its federal expenditure results for the fiscal year, federal staff and taxpayers have an incorrect or unreliable picture of the P-EBT grant?s overall status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-060 The Department of Human Services (Department) should strengthen its internal controls over the preparation of federal reports and the Exhibit K1, Schedule of Federal Assistance, by: A. Strengthening its internal controls over its monthly Pandemic Electronic Benefit Transfer Food Benefits (P-EBT) reporting to ensure its reporting is accurate and goes through supervisory review. B. Improving communication between program and accounting staff to ensure the Exhibit K1 is accurately updated when errors in federal reporting are identified and resolved. C. Improving the supervisory review process over the Exhibit K1 and the federal expenditures entered in the Colorado Operations Resource Engine (CORE), the state?s accounting system, to ensure expenditures are coded correctly as direct or subrecipient expenditures and that, ultimately, the Exhibit K1 is accurate and complete. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees to enhance internal controls over monthly P-EBT reporting to better ensure accuracy. P-EBT is a new program derived from pandemic funding. Being a new program with a lack of federal guidance at implementation, and urgency to get the funds disbursed program staff had to learn about the nuances of the program and the reporting requirements as it was being implemented. During implementation we recognized that there are some inherent differences with P-EBT from other benefit programs which caused processes to have to be adjusted slightly. Additionally, timing of federal report filing for the P-EBT program is not in synch with our other processes and associated federal reporting requirements and deadlines. This makes it impossible to ensure reconciliation procedures are performed before filing occurs, which is one of our typical internal controls. As a compensating internal control CDHS will ensure that supervisory review processes are performed over P-EBT reporting, and that P-EBT reporting is reconciled to other sources (CBMS and CFMS) as soon as possible after reporting is available. If changes are discovered CDHS will make adjustments to filed P-EBT reports as needed based on reconciliation findings, and communicate changes to necessary parties. B. Agree Implementation Date: July 2022 CDHS will work to ensure better coordination between program activities and the accounting section relating to federal reporting changes. Accounting will iterate the importance of timely informing the accounting staff when changes are made to program filed federal reports. This message will be delivered in periodic fiscal meetings and identified on the closing calendar. The P-EBT program will ensure that corrections are communicated to accounting on any updates completed on the FNS-292-B report upon discovery, and no later than 30 days after the reporting period. C. Agree Implementation Date: July 2022 CDHS will ensure that review and approval processes are occurring as designed at various points in the process leading up to entry into CORE. As part of the Requisition (RQS) approval process program and accounting staff independently approve that the correct direct or subrecipient object code is used. These approved RQS transactions are then transitioned into encumbrance documents that drive which object code future expenditures will be booked to. For CCDF transactions related to this finding, both the OEC and Accounting teams inadvertently approved an incorrect object code in 4 RQS's. Staffing shortages coupled with a large increase in workload related to pandemic funding contributed to this oversight. To correct OEC and Accounting will train new staff, periodically familiarize themselves with the appropriate object codes, and perform quality assurance review over object codes before applying approval in CORE. The K1 is compiled from balances derived from expenditure data recorded in CORE. The compilation of the K1 relies on the fact that expenditure balances are accurate, and that prior reviews and approvals of individual transactions have occurred as designed. The K1 currently goes through various levels of review focusing on balance level validation coupled with analytical procedures. To enhance the review process, CDHS will ensure analytical procedures include line level expenditure comparison at the direct and subrecipient levels.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-060 Misreporting of Federal Expenditures for the COVID-19 ?Pandemic EBT Food Benefits and Child Care and Development Block Grant on the Exhibit K1 Each year, the Department is required to prepare an exhibit containing the Department?s federal expenditures and related reimbursements to aid the Colorado Office of the State Controller (OSC) in the preparation of the State?s Schedule of Expenditures of Federal Awards (SEFA); this exhibit is referred to as the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 should include expenditures for grants received directly from the federal government and expended by the Department (direct expenditures), as well as expenditures for federal grants passed through by the Department to other State and/or non-State agencies (subrecipient expenditures). The SEFA is to be presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) to show the State?s expenditures of federal awards during the fiscal year. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Annually, the Department prepares its Exhibit K1 by following a process documented in its program accounting manual. First, program accountants review and analyze information from CORE for the federal Assistance Listing Number (ALN)?s related to the programs they support. The program accountants complete this review using a CORE report that the Department created, pulling transaction detail level data by ALN. Once the reviews and analysis are complete, the program accountants enter the information on the Department?s Exhibit K1 template for the correlating ALN. After the exhibit is prepared, the Department?s program accounting manual requires that it goes through two levels of review for accuracy. Once these reviews are completed, the Department submits the final Exhibit K1 to the OSC. The Department is also separately required within its approved State Plan for the COVID-19 ? Pandemic EBT Food Benefits program [ALN 10.542] (P-EBT) to report its P-EBT federal expenditures to the U.S. Department of Agriculture (USDA) via the Report of Disaster Food Stamp Benefit Issuance (FNS-292-B). The Department is also required to support the financial expenditures reported on the FNS-292-B report with source data and files, which includes a P-EBT Summary report that is exported from the Colorado Benefits Management System (CBMS) and includes the number of eligible children, number of eligible households, and total amount paid in P-EBT benefits. The P-EBT summary report is then reconciled by the Department to the County Financial Management System (CFMS), where the counties? issuance of P-EBT program benefits is accumulated and reported. For Fiscal Year 2021, the Department administered more than 70 federal programs and expended approximately $2.4 billion in federal funds. The P-EBT program and Child Care and Development Block Grant (Grant) [ALN 93.575] were two of these federal programs administered by the Department during Fiscal Year 2021. The Department reported more than $292 million in federal expenditures for the P-EBT program and approximately $74 million in federal expenditures for the Grant in Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the preparation of its Exhibit K1 during Fiscal Year 2021 and to determine whether the Department correctly reported its Fiscal Year 2021 federal grant expenditures to the OSC on its Exhibit K1. The purpose of our audit work was also to evaluate the Department?s internal controls over the financial reporting to the USDA regarding the P-EBT program. As part of our audit testwork, we compared amounts reported by the Department for direct and subrecipient federal expenditures on its Fiscal Year 2021 Exhibit K1 to the underlying financial records in CORE for the Grant and P-EBT federal programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the Exhibit K1 preparation, including supervisory reviews. We also reviewed 4 out of 12 Fiscal Year 2021 monthly submissions to the USDA for the FNS-292-B reports and compared federal expenditure amounts reported by the Department to the underlying financial records in CORE. How were the results of the audit work measured? The OSC is required to present the State?s SEFA in accordance with the federal requirements of the Uniform Guidance to show the State?s expenditures of federal awards during the fiscal year. Federal regulations [2 CFR 200.38(b)] define a federal award as, ?The instrument setting forth the terms and conditions. The instrument is the grant agreement, cooperative agreement, other agreement for assistance?? Federal regulations [2 CFR 200.510(b)(3) and (4)] require that the SEFA must show both total federal awards expended for each individual federal program, the Assistance Listing Number, and the total amount passed through to subrecipients for each federal program. In order to prepare the SEFA, the OSC requires state departments to submit an Exhibit K1 to report expenditures, receipts, and receivables for each federal grant program administered by the Department during the fiscal year. The OSC?s exhibit instructions include guidelines for completing the Exhibit K1, including defining ?direct and indirect expenditures? as ?all monetary and non-monetary direct and indirect Federal award expenditures,? and ?pass-through expenditures? as ?the amount of all monetary and non-monetary Federal award amounts passed through to a subrecipient.? For the Department?s Grant federal program, subrecipients consist of counties, school districts, and health centers. State Fiscal Rule 1-2, Internal Controls, requires that state departments ?implement internal accounting and administrative controls that reasonably ensure that financial transactions are accurate, reliable, conform to state fiscal rules, and reflect the underlying realities of the accounting transaction (substance rather than form).? Federal regulations [7 CFR 274.4] require the Department to submit an FNS-292-B report in the format prescribed by the USDA with information detailing the P-EBT federal benefit payments. The Department is required to support the information in the report with its underlying records. The FNS-292-B report is identified as a required report within the Department?s State Plan that is approved by the USDA. What problems did the audit work identify? The Department overstated $63.5 million in P-EBT expenditures on its June 2021 FNS-292-B report to USDA that was submitted on August 30, 2021, as well as on the Department?s Exhibit K1 for Fiscal Year 2021. The Department subsequently identified that the FNS-292-B report was misstated and updated and resubmitted the report on September 28, 2021, approximately one month later. The Department, however, did not update its Exhibit K1 for Fiscal Year 2021 to correct the error, because the program staff did not notify the accounting team of the misstatement and need for Exhibit K1 correction. Based on our audit testwork, we also determined that the Department misreported $8.7 million in the Grant?s expenditures as subrecipient, rather than direct, expenditures on its Exhibit K1. Why did these problems occur? The P-EBT program staff did not notify the Department?s accounting team, who prepares the Exhibit K1, of a revision to the FNS-292-B report. The P-EBT program staff prepared the reconciliation of the CBMS summary report to the CFMS P-EBT benefits issued report and identified a variance. The variance was eventually resolved and the P-EBT program staff resubmitted the FNS-292-B report to the USDA; however P-EBT program staff did not communicate this error to the Department?s accounting team. As a result, the accounting team was unaware of the revision and, therefore, did not update the Exhibit K1 to reflect the reduction in federal expenditures. Overall, the Department did not have adequate internal controls, such as an appropriate supervisory review process or adequate communication plan, in place for Fiscal Year 2021 to ensure that the FNS-292-B report was prepared accurately, that the Exhibit K1 was completed in accordance with the instructions provided by the OSC, and that the FNS-292-B and Exhibit K1 were reviewed for accuracy and compared to the underlying data. For the Grant program error, Department staff indicated that these funds were incorrectly identified and coded as subrecipient expenditures in CORE, which caused them to be incorrectly reported as such on the Exhibit K1. When the expenditures were initially posted in CORE, they were not adequately reviewed to determine if they were subrecipient or direct expenditures. Why do these problems matter? By failing to properly report grant expenditures to the federal government and the OSC, who ultimately then fails to properly report expenditures to the federal government on the State?s SEFA, the Department is out of compliance with federal and state reporting requirements and risks federal sanctions. In addition, because the error resulted in the Department misstating its federal expenditure results for the fiscal year, federal staff and taxpayers have an incorrect or unreliable picture of the P-EBT grant?s overall status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-060 The Department of Human Services (Department) should strengthen its internal controls over the preparation of federal reports and the Exhibit K1, Schedule of Federal Assistance, by: A. Strengthening its internal controls over its monthly Pandemic Electronic Benefit Transfer Food Benefits (P-EBT) reporting to ensure its reporting is accurate and goes through supervisory review. B. Improving communication between program and accounting staff to ensure the Exhibit K1 is accurately updated when errors in federal reporting are identified and resolved. C. Improving the supervisory review process over the Exhibit K1 and the federal expenditures entered in the Colorado Operations Resource Engine (CORE), the state?s accounting system, to ensure expenditures are coded correctly as direct or subrecipient expenditures and that, ultimately, the Exhibit K1 is accurate and complete. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees to enhance internal controls over monthly P-EBT reporting to better ensure accuracy. P-EBT is a new program derived from pandemic funding. Being a new program with a lack of federal guidance at implementation, and urgency to get the funds disbursed program staff had to learn about the nuances of the program and the reporting requirements as it was being implemented. During implementation we recognized that there are some inherent differences with P-EBT from other benefit programs which caused processes to have to be adjusted slightly. Additionally, timing of federal report filing for the P-EBT program is not in synch with our other processes and associated federal reporting requirements and deadlines. This makes it impossible to ensure reconciliation procedures are performed before filing occurs, which is one of our typical internal controls. As a compensating internal control CDHS will ensure that supervisory review processes are performed over P-EBT reporting, and that P-EBT reporting is reconciled to other sources (CBMS and CFMS) as soon as possible after reporting is available. If changes are discovered CDHS will make adjustments to filed P-EBT reports as needed based on reconciliation findings, and communicate changes to necessary parties. B. Agree Implementation Date: July 2022 CDHS will work to ensure better coordination between program activities and the accounting section relating to federal reporting changes. Accounting will iterate the importance of timely informing the accounting staff when changes are made to program filed federal reports. This message will be delivered in periodic fiscal meetings and identified on the closing calendar. The P-EBT program will ensure that corrections are communicated to accounting on any updates completed on the FNS-292-B report upon discovery, and no later than 30 days after the reporting period. C. Agree Implementation Date: July 2022 CDHS will ensure that review and approval processes are occurring as designed at various points in the process leading up to entry into CORE. As part of the Requisition (RQS) approval process program and accounting staff independently approve that the correct direct or subrecipient object code is used. These approved RQS transactions are then transitioned into encumbrance documents that drive which object code future expenditures will be booked to. For CCDF transactions related to this finding, both the OEC and Accounting teams inadvertently approved an incorrect object code in 4 RQS's. Staffing shortages coupled with a large increase in workload related to pandemic funding contributed to this oversight. To correct OEC and Accounting will train new staff, periodically familiarize themselves with the appropriate object codes, and perform quality assurance review over object codes before applying approval in CORE. The K1 is compiled from balances derived from expenditure data recorded in CORE. The compilation of the K1 relies on the fact that expenditure balances are accurate, and that prior reviews and approvals of individual transactions have occurred as designed. The K1 currently goes through various levels of review focusing on balance level validation coupled with analytical procedures. To enhance the review process, CDHS will ensure analytical procedures include line level expenditure comparison at the direct and subrecipient levels.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.
Finding 2022-077 Cash Management The Department operates on a reimbursement basis with the federal government for a portion of its federal grant programs, expending state dollars for the federal programs prior to requesting reimbursement for the appropriate federal share. The reimbursement process is governed by the Cash Management Improvement Act of 1990 (CMIA) and 31 CFR Part 205 Part B, Rules and Procedures for Efficient Federal-State Funds Transfers (Transfer Rules), which prescribe specific methods and timeframes for drawing down federal funds. The purpose of CMIA and the Transfer Rules is to minimize the time period from when the State makes an expenditure for a federal program and when the federal reimbursement is received, so that neither the State nor the federal government incurs a loss of interest on the funds. This timeframe for requesting reimbursement is referred to as the ?draw pattern.? Under CMIA, the State must enter into a formal agreement, referred to as the ?Treasury-State Agreement,? (Agreement) with the U.S. Department of the Treasury to establish reimbursement schedules for selected federal programs that have been awarded to the State. In Colorado, the Department of Treasury (Treasury), on behalf of all departments in the State, enters into the Agreement with the U.S. Department of the Treasury. For Fiscal Year 2022, Colorado?s CMIA Agreement included 10 programs administered by various state agencies. The Department has one federal program that is included in the Agreement. Specifically, the Department?s Highway Planning and Construction [ALN 20.205] is included in this Agreement. During Fiscal Year 2022, the Department expended $510.0 million in Highway Planning and Construction funds. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over its cash draw process and to determine whether the Department was in compliance with CMIA for the Highway Planning and Construction program during Fiscal Year 2022. As part of our audit, we tested the Department?s internal controls and compliance over its cash management process for the Highway Planning and Construction program. We tested a sample of 25 expenditures and the related draws the Department made for the program during Fiscal Year 2022 and calculated the number of days between each sampled expenditure and related federal draw and compared our results to the CMIA requirements in place at the time the draw occurred. Within our sample, draws for nine of the expenditures were performed prior to October 13, when the 4-day draw pattern was in place; draws for 16 expenditures were performed after October 13 on the 5-day pattern. How were the results of the audit work measured? Under CMIA rules, draw patterns should be interest-neutral between the State?s expenditure and receipt of federal funds. We compared the results of our testwork against the regulations within the CMIA for payments clearing the State?s bank that should result in the receipt of the federal reimbursements within specific timeframe as noted below: The Agreement in place at the beginning of Fiscal Year 2022 specified a 4-day draw pattern for Highway Planning and Construction. Therefore, the time between when the Department?s expenditure was made and when federal funds were received should have been 4 days. In October 2021, however, the Department requested the draw pattern be changed from 4 days to 5 days. This request was approved by the U.S. Department of the Treasury on October 13, 2021. What problem did the audit work identify? We determined that the Department did not comply with the approved cash management draw patterns contained in the Agreements for the Highway Planning and Construction program for Fiscal Year 2022. Overall, 8 of the 25 draws (32 percent) were not made in accordance with the applicable Agreement, as follows: ? We noted that 6 of the 16 draws (38 percent) were not performed on the 5-day approved draw pattern in place after October 13, 2021 and instead, were performed on a 4-day draw pattern. ? We also noted that 2 of the 9 draws (22 percent) sampled from the first Agreement were not completed in accordance with the 4-day approved draw pattern in place prior to October 13, 2021 and, instead, were performed on a 5-day draw pattern. Why did this problem occur? The Department did not have appropriate internal controls over its federal grant cash management process during Fiscal Year 2022. Specifically, the Department conducted an analysis on the draw pattern for Highway Planning and Construction in early Fiscal Year 2022 and determined that its draws were occurring within 5 rather than 4 days, so the Department requested and received approval from the U.S. Department of the Treasury to change from a 4 day draw pattern to a 5-day draw pattern; however, the Department did not properly communicate the change in the Agreement for the Highway Planning and Construction?s draw pattern to the primary individuals responsible for preparing and approving the draws. As a result, the billing procedure was not updated to reflect the change in draw pattern, which led to the draws being out of compliance with the approved CMIA draw pattern. Why does this problem matter? The timing of draws for requesting federal funds impacts the interest neutral requirements under the CMIA. By drawing funds early, the Department creates a risk that the State my ultimately owe interest charges to the federal government. Further, the Department?s lack of strong cash management internal controls may result in delays in the identification of expenditures for which reimbursement has not been requested and therefore, funds upon which the State has lost interest. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-077 The Department Transportation (Department) should strengthen its internal controls and processes over and ensure that it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by: A. Ensuring that Department personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern applicable for the current fiscal year, including any federally-approved changes that occur during the year. B. Establishing procedures that specify draw request dates in relation to Program expenditures that ensure required draw patterns are met. Response Colorado Department of Transportation A. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with the federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by ensuring personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern for the applicable fiscal year in which the draws occur including federally-approved changes during the year. Personnel responsible for the draw will review the approved draw letter from the State Treasury with a secondary verification on the Federal Site, www.fiscal.treasury.gov/cmia/resources-treasury-state-agreements.hmtl for the specified timeframe before conducting the draw. B. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by establishing and maintaining formal procedures that specify the draw request dates in relation to the program expenditures to ensure required draw patterns are met. The process to implement changes to the cash draw pattern will be added to the draw procedure by March 2023.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-049 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-036 CHILDREN?S BASIC HEALTH PLAN ELIGIBILITY AND IMPROPER PAYMENTS The Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits through CBHP. Individuals and families apply for CBHP eligibility at their local county departments of human/social services or at MA sites. The local counties and MA sites are responsible for administering the application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. Once approved for eligibility, the beneficiary is required to pay a CBHP annual enrollment fee (enrollment fee) to the Department, based on the number of people in the family and the family?s income. Eligibility data in CBMS feeds into Colorado interChange, which issues payments to CBHP providers. For CBHP, the Department contracts with managed-care entities, which are groups or organizations of medical service providers that serve CBHP beneficiaries to provide capitation payments to CBHP providers. These capitation payments are paid regardless of whether the providers serve beneficiaries during the month or not. Colorado interChange is programmed to pay capitation payments only on behalf of beneficiaries that are deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the CBHP eligibility determination process, as well as the capitation payment process, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. CMS suspended rules and provided waivers related to CBHP eligibility requirements in response to the COVID-19 PHE; as a result, our testwork was split into two periods for testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. We performed the following testwork: REVIEW OF CBHP ELIGIBILITY CASE FILES ? We reviewed the Department?s CBHP eligibility internal controls during Fiscal Year 2020. In addition, we tested a random sample of 25 beneficiaries who were deemed eligible for CBHP benefits and had capitation payments made on their behalf to a CBHP provider between July 1, 2019, and February 29, 2020, to determine whether those beneficiaries? eligibility determinations were appropriate. If beneficiaries were determined to be ineligible through our testwork, we performed further testing to determine whether the beneficiaries had additional payments made on their behalf from March 2020 through June 2020, and whether the individuals were eligible for those payments. Our testing included a review of the related supporting documentation, including the case files; CBMS data fields related to eligibility determination/redetermination; and CBHP payment information in Colorado interChange. We performed testing to determine whether the Department ensured that local county and MA site caseworkers obtained, verified, and maintained in the case files the required documents supporting eligibility determinations and annual redeterminations; correctly entered eligibility data into CBMS; and properly assessed and collected enrollment fees. ? Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to CBHP eligibility. During that audit, we recommended that the Department strengthen its internal controls over CBHP eligibility determinations by providing adequate training to caseworkers, monitoring local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. We also recommended that the Department ensure it disallows benefits if a beneficiary becomes ineligible and if the enrollment fee is not paid prior to enrollment in the program. DATA ANALYSES OF CBHP BENEFICIARIES ? INELIGIBLE CBHP BENEFICIARIES. During our audit, we obtained eligibility data for all individuals who were deemed by the Department, a local county, or an MA site to be eligible for CBHP benefits in Colorado interChange at any point during the period of July 1, 2019, through February 29, 2020. We also obtained data for all CBHP capitation payments made through Colorado interChange by the Department from July 1, 2019, through February 29, 2020. This data included a total of $124.7 million in capitation payments made on behalf of 117,222 beneficiaries. We compared the eligibility data to the capitation payment data to identify any instances in which the Department made capitation payments to providers on behalf of beneficiaries who did not appear to be eligible for CBHP benefits. ? CBHP BENEFICIARIES 19 YEARS OR OLDER. Federal and state regulations require an individual to be less than 19 years of age to be eligible for CBHP benefits. To determine the Department?s compliance with these regulations, we further analyzed the list of all CBHP capitation payments made through Colorado interChange by the Department from July 1, 2019, through February 29, 2020. Specifically, we reviewed the beneficiaries? dates of birth in Colorado interChange to identify any capitation payments made on behalf of beneficiaries who appeared to be 19 years or older when the payments were made and, therefore, would not have been eligible for CBHP benefits. CBHP ELIGIBILITY MONITORING AND REVIEW We also inquired about the Department?s monitoring procedures over local counties and MA sites that were designed to ensure that eligibility determinations were made in accordance with federal and state regulations. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations for CBHP eligibility and made payments on behalf of ineligible beneficiaries during the fiscal year. The specific issues we identified through our analyses of CBHP eligibility data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY CASE FILE ISSUES In 16 of 25 case files tested (64 percent), we identified at least one error. These errors resulted in a total of 12 ineligible beneficiaries during all or part of Fiscal Year 2020, and total known questioned costs of $10,913, of which $8,449 was paid with federal grant funds; and total likely questioned costs of $3,805, of which $3,076 was paid with federal grant funds. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation.?? Federal regulation [45 CFR 75.516] further defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE and receiving benefits during this period. Although CMS guidance indicated that the Department should keep these beneficiaries enrolled until the end of the COVID-19 PHE, we are reporting the costs incurred for the 12 ineligible beneficiaries in our sample during the period of the COVID-19 PHE of March 1, 2020, through June 30, 2020, as likely questioned costs since the beneficiaries were inappropriately deemed eligible prior to the COVID-19 PHE and should not have been enrolled in CBHP. The following table outlines the types of issues we found. See Schedule of Findings and Questioned Costs for chart/table. The specific issues we identified and the breakdown of identified questioned costs are as follows: ? CBHP ANNUAL ENROLLMENT FEE NOT PAID. In 10 cases, the Department either did not assess the required enrollment fee or the fee was assessed but was never collected. Specifically: ? In seven cases, the Department did not assess an enrollment fee. ? In the remaining three cases, the Department assessed the enrollment fees but did not collect the required fees from the beneficiaries. Benefits were inappropriately paid on behalf of these 10 beneficiaries for all or part of Fiscal Year 2020. As a result, the Department was not in compliance with state regulations. These issues resulted in known questioned costs of $6,684 and likely questioned costs of $2,260. State regulations [10 CCR 2505-3, 310.1-310.2] require the Department to collect an annual enrollment fee from the beneficiary prior to enrollment in the CBHP. The actual fee is determined based on the number of eligible children within the family. Benefits should be denied if the annual enrollment fee is not paid prior to enrollment in the program. ? LACK OF INCOME VERIFICATION. In three cases, the caseworkers failed to verify income reported by the beneficiary as required by state regulations. In all three cases, the beneficiary reported income; however, the caseworker did not verify the reported income through an electronic data source, wage stubs, tax documents, or through the employer. These errors resulted in known questioned costs of $2,854 and likely questioned costs of $1,546. State regulations [10 CCR 2505-10, 8.100.4.B.1.c and 8.100.4.B.1.d] require the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. ? INCOME ISSUES. In one case, the beneficiary?s income information received by the local county or MA site was more than the income limit set within the state regulation; however, the beneficiary was deemed eligible in CBMS and Colorado interChange paid capitation payments on behalf of the beneficiary. As a result, the beneficiary incorrectly received CBHP benefits during the fiscal year. These errors resulted in known questioned costs of $1,375. In another case, the caseworker incorrectly calculated self-employment income for the beneficiary, resulting in lower income. No questioned costs were identified in this instance because the beneficiary?s actual income was still within guidelines. In order to be eligible for CBHP, state regulation [10 CCR 2505-3, 110.1.D] requires an individual to have a household income greater than 133 percent of, but not exceeding, 250 percent of the federal poverty level. ? MISSING CASE DOCUMENTATION. In five cases, the Department was unable to provide documentation necessary to support the CBHP eligibility determination, including documentation to support income, such as wage stubs; and documentation to support identity and citizenship, such as birth certificates; as required by federal regulations, as follows: ? In three cases, the Department could not provide supporting documentation used by the caseworker in CBMS to verify income at the time of eligibility determination. Specifically, in all three cases, the Department was unable to provide copies of the beneficiary?s wage stubs that were noted as the source document in CBMS. However, the Department subsequently provided a hand-written statement from the employer and electronic income information from another data source interfaced with CBMS that indicated income was under the federal income threshold, resulting in no questioned costs. ? In two different cases, to determine beneficiaries? eligibility, a birth certificate was identified as the source used to verify identity and/or citizenship within CBMS; however, the Department was unable to provide these birth certificates to support their identity and/or citizenship for eligibility determinations. In both cases, there was other corroborating documentation in the case file that indicated the beneficiaries were eligible; however, the Department did not appropriately maintain the support used to determine the beneficiaries? eligibility as required by federal regulation. These errors did not result in questioned costs. According to federal regulation [42 CFR 457.965], ?The State must include in each applicant?s record facts to support the State?s determination of the applicant?s eligibility for [Children?s Health Insurance Program].? State regulations [10 CCR 2505-3, 110.1.A, 110.1.B, and 110.1.C] require the Department to ensure a beneficiary is either less than 19 years of age or a pregnant woman and a citizen of the United States or an individual who is legally allowed to be in the country. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES We identified 53 ineligible beneficiaries through our data analyses of CBHP eligibility and capitation payment data from Colorado interChange for July 1, 2019, through February 29, 2020. The related overpayments resulted in known questioned costs of $158,413 for Fiscal Year 2020, of which $123,251 were paid with federal grant funds. The specific issues we found are discussed in more detail as follows. CBHP BENEFICIARIES NOT ON THE ELIGIBILITY LIST. We identified 39 beneficiaries who were not listed as eligible beneficiaries in the CBHP eligibility data that we received from the Department. However, these beneficiaries had CBHP capitation payments paid on their behalf through Colorado interChange during Fiscal Year 2020. We informed the Department of the issues we identified and provided the list of all 39 identified beneficiaries. Department staff performed their review and confirmed that 38 of the 39 beneficiaries were not eligible in CBMS at some point during Fiscal Year 2020, but showed as eligible in Colorado interChange during that timeframe. For the remaining beneficiary, CBMS and Colorado interChange noted the beneficiary as eligible when payments occurred in July 2019; however, the Department?s review later determined that the beneficiary was ineligible during July 2019 after the payments had already been made through Colorado interChange. As a result, all payments made during July 1, 2019, through February 29, 2020, for these 39 ineligible CBHP beneficiaries were improper payments as defined by federal regulations and, therefore, should be recovered in accordance with state and federal regulations. These payments resulted in known questioned costs of $76,924, of which $59,423 were paid with federal grant funds; and likely questioned costs of $14,345 for March 1, 2020, through June 30, 2020, of which $11,596 were paid with federal grant funds. According to federal regulation [42 CFR 431.958], any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments). Eligibility errors include ineligible individuals that were authorized as eligible when they received services [42 CFR 431.960 (d)(2)(i)]. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider....? Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to 1 year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to the Centers for Medicare and Medicaid Services (CMS) regardless of whether recover is made from the provider. CBHP BENEFICIARIES 19 YEARS OR OLDER. We identified $853,422 in capitation payments made on behalf of 168 beneficiaries who appeared to be 19 years or older at the time of the CBHP capitation payments and, therefore, would not have been eligible for CBHP benefits. These beneficiaries were identified based on their dates of birth and the dates of capitation payments made on their behalf in Colorado interChange. We selected a random sample of 17 of the 168 beneficiaries to test whether or not the beneficiaries were ineligible to receive CBHP benefits based on their age. Using information contained in both Colorado interChange and CBMS, we confirmed that 14 of the 17 tested (82 percent) were 19 years or older when they had capitation payments paid on their behalf and, thus, were ineligible for these payments made through Colorado interChange. For example, we noted that based on the information in CBMS, 10 of the beneficiaries had not been eligible for CBHP benefits since 2017 even though Colorado interChange showed the beneficiaries as eligible. One of these beneficiaries had passed away in 2017, but had payments made on their behalf through September 2019. The remaining three of the 17 beneficiaries we tested were under the age of 19 at the time of the payments, but had an incorrect date of birth in Colorado interChange and/or CBMS. In total, for the 14 beneficiaries, we identified known questioned costs of $81,489 for Fiscal Year 2020, of which $63,828 were paid with federal grant funds. Additionally, for the remaining 151 beneficiaries with an age of 19 years or older based on their date of birth in Colorado interChange, we identified likely questioned costs of $775,470 for payments made on their behalf after they turned 19, of which $611,762 were paid with federal funds for Fiscal Year 2020. Federal regulation [42 CFR 457.320] defines children as up to, but not including, the age of 19. In addition, state regulation [10 CCR 2505-3, 101.1.A.1] states that an individual must be less than 19 years of age to be eligible for CBHP. The CBHP state plan amendment [CO-20-0031] approved by CMS, waives the requirement during the COVID-19 PHE, except for circumstances described in 42 CFR 435.926(d)(1) that states, the Department has to terminate a child?s eligibility during a continuous eligibility period once the child attains the maximum age of 19 years. Department policy further clarifies that beneficiaries enrolled in CBHP must meet age requirements [HCPF PM 20-004]. The following table summarizes the eligibility issues we identified through our data analyses. See Schedule of FIndings and Questioned Costs for chart/table. ELIGIBILITY MONITORING ISSUES CBHP ELIGIBILITY QUALITY REVIEW REPORT. In addition, we identified problems with the Department?s monitoring of local counties and MA sites over CBHP eligibility determinations. Based on our inquiry, we found that the Department did not obtain any quarterly quality review reports from local counties and MA sites during Fiscal Year 2020, or monitor the local counties and MA sites through an alternative process. As a result, the Department did not monitor local counties and MA sites in accordance with federal regulations and Department procedures. Department procedures require local counties and MA sites to compile and submit the results of their own quality reviews of CBHP eligibility case files to the Department on a quarterly basis. In addition, local counties and MA sites that do not submit their quality review reports on a timely basis are subject to corrective action. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with Green Book, Paragraph 16.01, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that it complied with state and federal CBHP eligibility requirements and to ensure that CBHP capitation payments were appropriately paid only on behalf of eligible beneficiaries during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: CBHP ANNUAL ENROLLMENT FEE. CBMS was not programmed to calculate and assess the correct enrollment fee or disallow benefits if the enrollment fee was not paid prior to enrollment in the program. In addition, CBMS was not programmed to calculate and assess an enrollment fee when a beneficiary moves between programs, such as from other federal programs to CBHP. According to the Department, CBMS is programmed to only calculate and assess an enrollment fee at a beneficiary?s annual redetermination and does not assess a fee when beneficiaries move to CBHP in between annual redeterminations, as required by state regulations. CASEWORKER ERROR. Caseworkers did not ensure that they maintained the required documentation to support CBHP eligibility, such as citizenship and identity status; or obtained and verified beneficiary income. MONITORING AND REVIEWS. The Department reported that it discontinued its process of obtaining quarterly CBHP monitoring reports from local counties and MA sites during Fiscal Year 2020 because the process is not effective and it is creating a new oversight monitoring process; however, the Department did not implement an interim monitoring process to ensure compliance with federal regulations. SYSTEM INTERFACE ISSUES AND LACK OF RECONCILIATION PROCESS. CBMS failed to interface with Colorado interChange appropriately during Fiscal Year 2020 to update beneficiaries? eligibility information. As a result, some beneficiaries who were deemed ineligible for CBHP in CBMS were listed as eligible in Colorado interChange and capitation payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling CBHP beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure the information is consistent in both systems and the beneficiary is appropriately deemed either eligible or ineligible in accordance with federal and state regulations. The Department indicated that it developed a manual reconciliation process in October 2019 to correct the eligibility status of these beneficiaries from eligible to ineligible in Colorado interChange to stop any further payments. This manual reconciliation process, however, did not identify and stop all the overpayments to providers on behalf of ineligible beneficiaries noted in this audit. Additionally, the Department did not recover these overpayments as required by federal and state regulations. WHY DO THESE PROBLEMS MATTER? Inaccurate processing of case file information to determine eligibility can result in the local counties and MA sites granting CBHP benefits to ineligible individuals. Without maintaining the required documentation to support eligibility, the local counties, MA sites, and ultimately the State cannot substantiate that eligibility determinations and redeterminations for CBHP are accurate, which can result in benefits being paid on behalf of ineligible individuals. Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Because CBMS determines eligibility and Colorado interChange makes payments on behalf of other federal programs, system issues with CBMS and Colorado interChange could result in erroneous payments for other programs.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-049 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-036 CHILDREN?S BASIC HEALTH PLAN ELIGIBILITY AND IMPROPER PAYMENTS The Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits through CBHP. Individuals and families apply for CBHP eligibility at their local county departments of human/social services or at MA sites. The local counties and MA sites are responsible for administering the application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. Once approved for eligibility, the beneficiary is required to pay a CBHP annual enrollment fee (enrollment fee) to the Department, based on the number of people in the family and the family?s income. Eligibility data in CBMS feeds into Colorado interChange, which issues payments to CBHP providers. For CBHP, the Department contracts with managed-care entities, which are groups or organizations of medical service providers that serve CBHP beneficiaries to provide capitation payments to CBHP providers. These capitation payments are paid regardless of whether the providers serve beneficiaries during the month or not. Colorado interChange is programmed to pay capitation payments only on behalf of beneficiaries that are deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the CBHP eligibility determination process, as well as the capitation payment process, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. CMS suspended rules and provided waivers related to CBHP eligibility requirements in response to the COVID-19 PHE; as a result, our testwork was split into two periods for testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. We performed the following testwork: REVIEW OF CBHP ELIGIBILITY CASE FILES ? We reviewed the Department?s CBHP eligibility internal controls during Fiscal Year 2020. In addition, we tested a random sample of 25 beneficiaries who were deemed eligible for CBHP benefits and had capitation payments made on their behalf to a CBHP provider between July 1, 2019, and February 29, 2020, to determine whether those beneficiaries? eligibility determinations were appropriate. If beneficiaries were determined to be ineligible through our testwork, we performed further testing to determine whether the beneficiaries had additional payments made on their behalf from March 2020 through June 2020, and whether the individuals were eligible for those payments. Our testing included a review of the related supporting documentation, including the case files; CBMS data fields related to eligibility determination/redetermination; and CBHP payment information in Colorado interChange. We performed testing to determine whether the Department ensured that local county and MA site caseworkers obtained, verified, and maintained in the case files the required documents supporting eligibility determinations and annual redeterminations; correctly entered eligibility data into CBMS; and properly assessed and collected enrollment fees. ? Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to CBHP eligibility. During that audit, we recommended that the Department strengthen its internal controls over CBHP eligibility determinations by providing adequate training to caseworkers, monitoring local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. We also recommended that the Department ensure it disallows benefits if a beneficiary becomes ineligible and if the enrollment fee is not paid prior to enrollment in the program. DATA ANALYSES OF CBHP BENEFICIARIES ? INELIGIBLE CBHP BENEFICIARIES. During our audit, we obtained eligibility data for all individuals who were deemed by the Department, a local county, or an MA site to be eligible for CBHP benefits in Colorado interChange at any point during the period of July 1, 2019, through February 29, 2020. We also obtained data for all CBHP capitation payments made through Colorado interChange by the Department from July 1, 2019, through February 29, 2020. This data included a total of $124.7 million in capitation payments made on behalf of 117,222 beneficiaries. We compared the eligibility data to the capitation payment data to identify any instances in which the Department made capitation payments to providers on behalf of beneficiaries who did not appear to be eligible for CBHP benefits. ? CBHP BENEFICIARIES 19 YEARS OR OLDER. Federal and state regulations require an individual to be less than 19 years of age to be eligible for CBHP benefits. To determine the Department?s compliance with these regulations, we further analyzed the list of all CBHP capitation payments made through Colorado interChange by the Department from July 1, 2019, through February 29, 2020. Specifically, we reviewed the beneficiaries? dates of birth in Colorado interChange to identify any capitation payments made on behalf of beneficiaries who appeared to be 19 years or older when the payments were made and, therefore, would not have been eligible for CBHP benefits. CBHP ELIGIBILITY MONITORING AND REVIEW We also inquired about the Department?s monitoring procedures over local counties and MA sites that were designed to ensure that eligibility determinations were made in accordance with federal and state regulations. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations for CBHP eligibility and made payments on behalf of ineligible beneficiaries during the fiscal year. The specific issues we identified through our analyses of CBHP eligibility data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY CASE FILE ISSUES In 16 of 25 case files tested (64 percent), we identified at least one error. These errors resulted in a total of 12 ineligible beneficiaries during all or part of Fiscal Year 2020, and total known questioned costs of $10,913, of which $8,449 was paid with federal grant funds; and total likely questioned costs of $3,805, of which $3,076 was paid with federal grant funds. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation.?? Federal regulation [45 CFR 75.516] further defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE and receiving benefits during this period. Although CMS guidance indicated that the Department should keep these beneficiaries enrolled until the end of the COVID-19 PHE, we are reporting the costs incurred for the 12 ineligible beneficiaries in our sample during the period of the COVID-19 PHE of March 1, 2020, through June 30, 2020, as likely questioned costs since the beneficiaries were inappropriately deemed eligible prior to the COVID-19 PHE and should not have been enrolled in CBHP. The following table outlines the types of issues we found. See Schedule of Findings and Questioned Costs for chart/table. The specific issues we identified and the breakdown of identified questioned costs are as follows: ? CBHP ANNUAL ENROLLMENT FEE NOT PAID. In 10 cases, the Department either did not assess the required enrollment fee or the fee was assessed but was never collected. Specifically: ? In seven cases, the Department did not assess an enrollment fee. ? In the remaining three cases, the Department assessed the enrollment fees but did not collect the required fees from the beneficiaries. Benefits were inappropriately paid on behalf of these 10 beneficiaries for all or part of Fiscal Year 2020. As a result, the Department was not in compliance with state regulations. These issues resulted in known questioned costs of $6,684 and likely questioned costs of $2,260. State regulations [10 CCR 2505-3, 310.1-310.2] require the Department to collect an annual enrollment fee from the beneficiary prior to enrollment in the CBHP. The actual fee is determined based on the number of eligible children within the family. Benefits should be denied if the annual enrollment fee is not paid prior to enrollment in the program. ? LACK OF INCOME VERIFICATION. In three cases, the caseworkers failed to verify income reported by the beneficiary as required by state regulations. In all three cases, the beneficiary reported income; however, the caseworker did not verify the reported income through an electronic data source, wage stubs, tax documents, or through the employer. These errors resulted in known questioned costs of $2,854 and likely questioned costs of $1,546. State regulations [10 CCR 2505-10, 8.100.4.B.1.c and 8.100.4.B.1.d] require the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. ? INCOME ISSUES. In one case, the beneficiary?s income information received by the local county or MA site was more than the income limit set within the state regulation; however, the beneficiary was deemed eligible in CBMS and Colorado interChange paid capitation payments on behalf of the beneficiary. As a result, the beneficiary incorrectly received CBHP benefits during the fiscal year. These errors resulted in known questioned costs of $1,375. In another case, the caseworker incorrectly calculated self-employment income for the beneficiary, resulting in lower income. No questioned costs were identified in this instance because the beneficiary?s actual income was still within guidelines. In order to be eligible for CBHP, state regulation [10 CCR 2505-3, 110.1.D] requires an individual to have a household income greater than 133 percent of, but not exceeding, 250 percent of the federal poverty level. ? MISSING CASE DOCUMENTATION. In five cases, the Department was unable to provide documentation necessary to support the CBHP eligibility determination, including documentation to support income, such as wage stubs; and documentation to support identity and citizenship, such as birth certificates; as required by federal regulations, as follows: ? In three cases, the Department could not provide supporting documentation used by the caseworker in CBMS to verify income at the time of eligibility determination. Specifically, in all three cases, the Department was unable to provide copies of the beneficiary?s wage stubs that were noted as the source document in CBMS. However, the Department subsequently provided a hand-written statement from the employer and electronic income information from another data source interfaced with CBMS that indicated income was under the federal income threshold, resulting in no questioned costs. ? In two different cases, to determine beneficiaries? eligibility, a birth certificate was identified as the source used to verify identity and/or citizenship within CBMS; however, the Department was unable to provide these birth certificates to support their identity and/or citizenship for eligibility determinations. In both cases, there was other corroborating documentation in the case file that indicated the beneficiaries were eligible; however, the Department did not appropriately maintain the support used to determine the beneficiaries? eligibility as required by federal regulation. These errors did not result in questioned costs. According to federal regulation [42 CFR 457.965], ?The State must include in each applicant?s record facts to support the State?s determination of the applicant?s eligibility for [Children?s Health Insurance Program].? State regulations [10 CCR 2505-3, 110.1.A, 110.1.B, and 110.1.C] require the Department to ensure a beneficiary is either less than 19 years of age or a pregnant woman and a citizen of the United States or an individual who is legally allowed to be in the country. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES We identified 53 ineligible beneficiaries through our data analyses of CBHP eligibility and capitation payment data from Colorado interChange for July 1, 2019, through February 29, 2020. The related overpayments resulted in known questioned costs of $158,413 for Fiscal Year 2020, of which $123,251 were paid with federal grant funds. The specific issues we found are discussed in more detail as follows. CBHP BENEFICIARIES NOT ON THE ELIGIBILITY LIST. We identified 39 beneficiaries who were not listed as eligible beneficiaries in the CBHP eligibility data that we received from the Department. However, these beneficiaries had CBHP capitation payments paid on their behalf through Colorado interChange during Fiscal Year 2020. We informed the Department of the issues we identified and provided the list of all 39 identified beneficiaries. Department staff performed their review and confirmed that 38 of the 39 beneficiaries were not eligible in CBMS at some point during Fiscal Year 2020, but showed as eligible in Colorado interChange during that timeframe. For the remaining beneficiary, CBMS and Colorado interChange noted the beneficiary as eligible when payments occurred in July 2019; however, the Department?s review later determined that the beneficiary was ineligible during July 2019 after the payments had already been made through Colorado interChange. As a result, all payments made during July 1, 2019, through February 29, 2020, for these 39 ineligible CBHP beneficiaries were improper payments as defined by federal regulations and, therefore, should be recovered in accordance with state and federal regulations. These payments resulted in known questioned costs of $76,924, of which $59,423 were paid with federal grant funds; and likely questioned costs of $14,345 for March 1, 2020, through June 30, 2020, of which $11,596 were paid with federal grant funds. According to federal regulation [42 CFR 431.958], any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments). Eligibility errors include ineligible individuals that were authorized as eligible when they received services [42 CFR 431.960 (d)(2)(i)]. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider....? Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to 1 year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to the Centers for Medicare and Medicaid Services (CMS) regardless of whether recover is made from the provider. CBHP BENEFICIARIES 19 YEARS OR OLDER. We identified $853,422 in capitation payments made on behalf of 168 beneficiaries who appeared to be 19 years or older at the time of the CBHP capitation payments and, therefore, would not have been eligible for CBHP benefits. These beneficiaries were identified based on their dates of birth and the dates of capitation payments made on their behalf in Colorado interChange. We selected a random sample of 17 of the 168 beneficiaries to test whether or not the beneficiaries were ineligible to receive CBHP benefits based on their age. Using information contained in both Colorado interChange and CBMS, we confirmed that 14 of the 17 tested (82 percent) were 19 years or older when they had capitation payments paid on their behalf and, thus, were ineligible for these payments made through Colorado interChange. For example, we noted that based on the information in CBMS, 10 of the beneficiaries had not been eligible for CBHP benefits since 2017 even though Colorado interChange showed the beneficiaries as eligible. One of these beneficiaries had passed away in 2017, but had payments made on their behalf through September 2019. The remaining three of the 17 beneficiaries we tested were under the age of 19 at the time of the payments, but had an incorrect date of birth in Colorado interChange and/or CBMS. In total, for the 14 beneficiaries, we identified known questioned costs of $81,489 for Fiscal Year 2020, of which $63,828 were paid with federal grant funds. Additionally, for the remaining 151 beneficiaries with an age of 19 years or older based on their date of birth in Colorado interChange, we identified likely questioned costs of $775,470 for payments made on their behalf after they turned 19, of which $611,762 were paid with federal funds for Fiscal Year 2020. Federal regulation [42 CFR 457.320] defines children as up to, but not including, the age of 19. In addition, state regulation [10 CCR 2505-3, 101.1.A.1] states that an individual must be less than 19 years of age to be eligible for CBHP. The CBHP state plan amendment [CO-20-0031] approved by CMS, waives the requirement during the COVID-19 PHE, except for circumstances described in 42 CFR 435.926(d)(1) that states, the Department has to terminate a child?s eligibility during a continuous eligibility period once the child attains the maximum age of 19 years. Department policy further clarifies that beneficiaries enrolled in CBHP must meet age requirements [HCPF PM 20-004]. The following table summarizes the eligibility issues we identified through our data analyses. See Schedule of FIndings and Questioned Costs for chart/table. ELIGIBILITY MONITORING ISSUES CBHP ELIGIBILITY QUALITY REVIEW REPORT. In addition, we identified problems with the Department?s monitoring of local counties and MA sites over CBHP eligibility determinations. Based on our inquiry, we found that the Department did not obtain any quarterly quality review reports from local counties and MA sites during Fiscal Year 2020, or monitor the local counties and MA sites through an alternative process. As a result, the Department did not monitor local counties and MA sites in accordance with federal regulations and Department procedures. Department procedures require local counties and MA sites to compile and submit the results of their own quality reviews of CBHP eligibility case files to the Department on a quarterly basis. In addition, local counties and MA sites that do not submit their quality review reports on a timely basis are subject to corrective action. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with Green Book, Paragraph 16.01, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that it complied with state and federal CBHP eligibility requirements and to ensure that CBHP capitation payments were appropriately paid only on behalf of eligible beneficiaries during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: CBHP ANNUAL ENROLLMENT FEE. CBMS was not programmed to calculate and assess the correct enrollment fee or disallow benefits if the enrollment fee was not paid prior to enrollment in the program. In addition, CBMS was not programmed to calculate and assess an enrollment fee when a beneficiary moves between programs, such as from other federal programs to CBHP. According to the Department, CBMS is programmed to only calculate and assess an enrollment fee at a beneficiary?s annual redetermination and does not assess a fee when beneficiaries move to CBHP in between annual redeterminations, as required by state regulations. CASEWORKER ERROR. Caseworkers did not ensure that they maintained the required documentation to support CBHP eligibility, such as citizenship and identity status; or obtained and verified beneficiary income. MONITORING AND REVIEWS. The Department reported that it discontinued its process of obtaining quarterly CBHP monitoring reports from local counties and MA sites during Fiscal Year 2020 because the process is not effective and it is creating a new oversight monitoring process; however, the Department did not implement an interim monitoring process to ensure compliance with federal regulations. SYSTEM INTERFACE ISSUES AND LACK OF RECONCILIATION PROCESS. CBMS failed to interface with Colorado interChange appropriately during Fiscal Year 2020 to update beneficiaries? eligibility information. As a result, some beneficiaries who were deemed ineligible for CBHP in CBMS were listed as eligible in Colorado interChange and capitation payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling CBHP beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure the information is consistent in both systems and the beneficiary is appropriately deemed either eligible or ineligible in accordance with federal and state regulations. The Department indicated that it developed a manual reconciliation process in October 2019 to correct the eligibility status of these beneficiaries from eligible to ineligible in Colorado interChange to stop any further payments. This manual reconciliation process, however, did not identify and stop all the overpayments to providers on behalf of ineligible beneficiaries noted in this audit. Additionally, the Department did not recover these overpayments as required by federal and state regulations. WHY DO THESE PROBLEMS MATTER? Inaccurate processing of case file information to determine eligibility can result in the local counties and MA sites granting CBHP benefits to ineligible individuals. Without maintaining the required documentation to support eligibility, the local counties, MA sites, and ultimately the State cannot substantiate that eligibility determinations and redeterminations for CBHP are accurate, which can result in benefits being paid on behalf of ineligible individuals. Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Because CBMS determines eligibility and Colorado interChange makes payments on behalf of other federal programs, system issues with CBMS and Colorado interChange could result in erroneous payments for other programs.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.
Finding 2022-077 Cash Management The Department operates on a reimbursement basis with the federal government for a portion of its federal grant programs, expending state dollars for the federal programs prior to requesting reimbursement for the appropriate federal share. The reimbursement process is governed by the Cash Management Improvement Act of 1990 (CMIA) and 31 CFR Part 205 Part B, Rules and Procedures for Efficient Federal-State Funds Transfers (Transfer Rules), which prescribe specific methods and timeframes for drawing down federal funds. The purpose of CMIA and the Transfer Rules is to minimize the time period from when the State makes an expenditure for a federal program and when the federal reimbursement is received, so that neither the State nor the federal government incurs a loss of interest on the funds. This timeframe for requesting reimbursement is referred to as the ?draw pattern.? Under CMIA, the State must enter into a formal agreement, referred to as the ?Treasury-State Agreement,? (Agreement) with the U.S. Department of the Treasury to establish reimbursement schedules for selected federal programs that have been awarded to the State. In Colorado, the Department of Treasury (Treasury), on behalf of all departments in the State, enters into the Agreement with the U.S. Department of the Treasury. For Fiscal Year 2022, Colorado?s CMIA Agreement included 10 programs administered by various state agencies. The Department has one federal program that is included in the Agreement. Specifically, the Department?s Highway Planning and Construction [ALN 20.205] is included in this Agreement. During Fiscal Year 2022, the Department expended $510.0 million in Highway Planning and Construction funds. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over its cash draw process and to determine whether the Department was in compliance with CMIA for the Highway Planning and Construction program during Fiscal Year 2022. As part of our audit, we tested the Department?s internal controls and compliance over its cash management process for the Highway Planning and Construction program. We tested a sample of 25 expenditures and the related draws the Department made for the program during Fiscal Year 2022 and calculated the number of days between each sampled expenditure and related federal draw and compared our results to the CMIA requirements in place at the time the draw occurred. Within our sample, draws for nine of the expenditures were performed prior to October 13, when the 4-day draw pattern was in place; draws for 16 expenditures were performed after October 13 on the 5-day pattern. How were the results of the audit work measured? Under CMIA rules, draw patterns should be interest-neutral between the State?s expenditure and receipt of federal funds. We compared the results of our testwork against the regulations within the CMIA for payments clearing the State?s bank that should result in the receipt of the federal reimbursements within specific timeframe as noted below: The Agreement in place at the beginning of Fiscal Year 2022 specified a 4-day draw pattern for Highway Planning and Construction. Therefore, the time between when the Department?s expenditure was made and when federal funds were received should have been 4 days. In October 2021, however, the Department requested the draw pattern be changed from 4 days to 5 days. This request was approved by the U.S. Department of the Treasury on October 13, 2021. What problem did the audit work identify? We determined that the Department did not comply with the approved cash management draw patterns contained in the Agreements for the Highway Planning and Construction program for Fiscal Year 2022. Overall, 8 of the 25 draws (32 percent) were not made in accordance with the applicable Agreement, as follows: ? We noted that 6 of the 16 draws (38 percent) were not performed on the 5-day approved draw pattern in place after October 13, 2021 and instead, were performed on a 4-day draw pattern. ? We also noted that 2 of the 9 draws (22 percent) sampled from the first Agreement were not completed in accordance with the 4-day approved draw pattern in place prior to October 13, 2021 and, instead, were performed on a 5-day draw pattern. Why did this problem occur? The Department did not have appropriate internal controls over its federal grant cash management process during Fiscal Year 2022. Specifically, the Department conducted an analysis on the draw pattern for Highway Planning and Construction in early Fiscal Year 2022 and determined that its draws were occurring within 5 rather than 4 days, so the Department requested and received approval from the U.S. Department of the Treasury to change from a 4 day draw pattern to a 5-day draw pattern; however, the Department did not properly communicate the change in the Agreement for the Highway Planning and Construction?s draw pattern to the primary individuals responsible for preparing and approving the draws. As a result, the billing procedure was not updated to reflect the change in draw pattern, which led to the draws being out of compliance with the approved CMIA draw pattern. Why does this problem matter? The timing of draws for requesting federal funds impacts the interest neutral requirements under the CMIA. By drawing funds early, the Department creates a risk that the State my ultimately owe interest charges to the federal government. Further, the Department?s lack of strong cash management internal controls may result in delays in the identification of expenditures for which reimbursement has not been requested and therefore, funds upon which the State has lost interest. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-077 The Department Transportation (Department) should strengthen its internal controls and processes over and ensure that it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by: A. Ensuring that Department personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern applicable for the current fiscal year, including any federally-approved changes that occur during the year. B. Establishing procedures that specify draw request dates in relation to Program expenditures that ensure required draw patterns are met. Response Colorado Department of Transportation A. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with the federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by ensuring personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern for the applicable fiscal year in which the draws occur including federally-approved changes during the year. Personnel responsible for the draw will review the approved draw letter from the State Treasury with a secondary verification on the Federal Site, www.fiscal.treasury.gov/cmia/resources-treasury-state-agreements.hmtl for the specified timeframe before conducting the draw. B. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by establishing and maintaining formal procedures that specify the draw request dates in relation to the program expenditures to ensure required draw patterns are met. The process to implement changes to the cash draw pattern will be added to the draw procedure by March 2023.
Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.
Finding 2022-077 Cash Management The Department operates on a reimbursement basis with the federal government for a portion of its federal grant programs, expending state dollars for the federal programs prior to requesting reimbursement for the appropriate federal share. The reimbursement process is governed by the Cash Management Improvement Act of 1990 (CMIA) and 31 CFR Part 205 Part B, Rules and Procedures for Efficient Federal-State Funds Transfers (Transfer Rules), which prescribe specific methods and timeframes for drawing down federal funds. The purpose of CMIA and the Transfer Rules is to minimize the time period from when the State makes an expenditure for a federal program and when the federal reimbursement is received, so that neither the State nor the federal government incurs a loss of interest on the funds. This timeframe for requesting reimbursement is referred to as the ?draw pattern.? Under CMIA, the State must enter into a formal agreement, referred to as the ?Treasury-State Agreement,? (Agreement) with the U.S. Department of the Treasury to establish reimbursement schedules for selected federal programs that have been awarded to the State. In Colorado, the Department of Treasury (Treasury), on behalf of all departments in the State, enters into the Agreement with the U.S. Department of the Treasury. For Fiscal Year 2022, Colorado?s CMIA Agreement included 10 programs administered by various state agencies. The Department has one federal program that is included in the Agreement. Specifically, the Department?s Highway Planning and Construction [ALN 20.205] is included in this Agreement. During Fiscal Year 2022, the Department expended $510.0 million in Highway Planning and Construction funds. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over its cash draw process and to determine whether the Department was in compliance with CMIA for the Highway Planning and Construction program during Fiscal Year 2022. As part of our audit, we tested the Department?s internal controls and compliance over its cash management process for the Highway Planning and Construction program. We tested a sample of 25 expenditures and the related draws the Department made for the program during Fiscal Year 2022 and calculated the number of days between each sampled expenditure and related federal draw and compared our results to the CMIA requirements in place at the time the draw occurred. Within our sample, draws for nine of the expenditures were performed prior to October 13, when the 4-day draw pattern was in place; draws for 16 expenditures were performed after October 13 on the 5-day pattern. How were the results of the audit work measured? Under CMIA rules, draw patterns should be interest-neutral between the State?s expenditure and receipt of federal funds. We compared the results of our testwork against the regulations within the CMIA for payments clearing the State?s bank that should result in the receipt of the federal reimbursements within specific timeframe as noted below: The Agreement in place at the beginning of Fiscal Year 2022 specified a 4-day draw pattern for Highway Planning and Construction. Therefore, the time between when the Department?s expenditure was made and when federal funds were received should have been 4 days. In October 2021, however, the Department requested the draw pattern be changed from 4 days to 5 days. This request was approved by the U.S. Department of the Treasury on October 13, 2021. What problem did the audit work identify? We determined that the Department did not comply with the approved cash management draw patterns contained in the Agreements for the Highway Planning and Construction program for Fiscal Year 2022. Overall, 8 of the 25 draws (32 percent) were not made in accordance with the applicable Agreement, as follows: ? We noted that 6 of the 16 draws (38 percent) were not performed on the 5-day approved draw pattern in place after October 13, 2021 and instead, were performed on a 4-day draw pattern. ? We also noted that 2 of the 9 draws (22 percent) sampled from the first Agreement were not completed in accordance with the 4-day approved draw pattern in place prior to October 13, 2021 and, instead, were performed on a 5-day draw pattern. Why did this problem occur? The Department did not have appropriate internal controls over its federal grant cash management process during Fiscal Year 2022. Specifically, the Department conducted an analysis on the draw pattern for Highway Planning and Construction in early Fiscal Year 2022 and determined that its draws were occurring within 5 rather than 4 days, so the Department requested and received approval from the U.S. Department of the Treasury to change from a 4 day draw pattern to a 5-day draw pattern; however, the Department did not properly communicate the change in the Agreement for the Highway Planning and Construction?s draw pattern to the primary individuals responsible for preparing and approving the draws. As a result, the billing procedure was not updated to reflect the change in draw pattern, which led to the draws being out of compliance with the approved CMIA draw pattern. Why does this problem matter? The timing of draws for requesting federal funds impacts the interest neutral requirements under the CMIA. By drawing funds early, the Department creates a risk that the State my ultimately owe interest charges to the federal government. Further, the Department?s lack of strong cash management internal controls may result in delays in the identification of expenditures for which reimbursement has not been requested and therefore, funds upon which the State has lost interest. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-077 The Department Transportation (Department) should strengthen its internal controls and processes over and ensure that it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by: A. Ensuring that Department personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern applicable for the current fiscal year, including any federally-approved changes that occur during the year. B. Establishing procedures that specify draw request dates in relation to Program expenditures that ensure required draw patterns are met. Response Colorado Department of Transportation A. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with the federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by ensuring personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern for the applicable fiscal year in which the draws occur including federally-approved changes during the year. Personnel responsible for the draw will review the approved draw letter from the State Treasury with a secondary verification on the Federal Site, www.fiscal.treasury.gov/cmia/resources-treasury-state-agreements.hmtl for the specified timeframe before conducting the draw. B. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by establishing and maintaining formal procedures that specify the draw request dates in relation to the program expenditures to ensure required draw patterns are met. The process to implement changes to the cash draw pattern will be added to the draw procedure by March 2023.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Transportation (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-068 The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department in the previous year and has not been remediated as of June 30, 2021, because the original implementation date provided by the Department is in a subsequent fiscal year. This complete finding and recommendation can be found in the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-075 FORMULA GRANTS FOR RURAL AREAS?INTERNAL CONTROLS AND COMPLIANCE WITH SUBRECIPIENT MONITORING The Department received funding from the Federal Transit Authority (FTA) for the Program during Fiscal Year 2020 and expended approximately $26.8 million under the Program; the expenditures included approximately $16.9 million from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The objective of this Program is to initiate, improve, or continue public transportation services in rural areas. FTA provides financial and technical assistance to local public transit systems, including buses, subways, light rail, commuter rail, trolleys, and ferries. FTA also oversees safety measures and helps develop next-generation technology research. Approximately $26.0 million (97 percent) of the Program funds expended by the Department were passed through to subrecipients in order to carry out a portion of the Program. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to determine whether the Department had effective internal controls in place during Fiscal Year 2020 over the Program, and complied with the Program?s subrecipient monitoring activities. As part of our audit work, we reviewed the Department?s internal controls over compliance for the Program?s subrecipient monitoring. In addition, we tested a random sample of five of 45 Program subrecipients for Fiscal Year 2020 to determine whether the subrecipient monitoring procedures the Department performed during the year were compliant with federal requirements. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Our audit work was designed to measure the results of compliance with the following criteria: ? Federal regulations [2 CFR 200.332(b)] require that the Department evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. Federal regulations [2 CFR 200.332(d)-(f)] also require the Department to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. Monitoring must include: ? Reviewing financial and programmatic reports. ? Following up and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award. ? Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity, as required by 2 CFR 200.521. ? Federal regulation [2 CFR 200.303] states that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The Department?s internal control policies and procedures require the Internal Audit Division to obtain and review single audit certification forms, whereby subrecipients are required to certify whether they are subject to a Single Audit. Internal Audit Division staff are required to review each certification and related Single Audit report, as applicable, and perform follow-up activities related to deficiencies and audit findings. ? Additionally, the Department is required to report the total amount of federal awards expended to the Office of the State Controller (OSC) via the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 is the document through which state departments report federal expenditure information to the OSC, including separate columns to indicate types of expenditures, for statewide compilation and reporting. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified issues related to two of the five (40 percent) Program subrecipients identified by the Department for Fiscal Year 2020 as follows: ? The Department did not take sufficient steps to address one subrecipient?s failure to obtain a 2019 Single Audit. Specifically, the subrecipient received approximately $78,500 in pass-through Program funding from the Department and communicated to the Department in its single audit certification for the year ending December 31, 2019, that it was subject to a Single Audit; however, that audit had not been conducted as of the completion of our Fiscal Year 2020 audit testwork in April 2021. While it appeared that the Department communicated various times with the subrecipient about the missing audit, the Department did not assess possible impacts from the missing audit or take any action to institute alternate monitoring procedures of the subrecipient. ? For the second subrecipient tested, the Department inappropriately considered the entity to be a subrecipient rather than a vendor and incorrectly reported $20,936 in funds paid to the entity as subrecipient expenditures on its Exhibit K1 submitted to the OSC. WHY DID THESE PROBLEMS OCCUR? The Department?s subrecipient policies and procedures are voluminous and performed throughout multiple divisions within the Department. Therefore, the results of monitoring procedures performed are documented in various areas and not contained in one central location. The Department also does not have policies and procedures in place to identify appropriate actions to be taken when issues are identified. In addition, the Department lacks a process for analyzing the types of entities it is contracting with for the Program in order to separately identify the entities as vendors or subrecipients; rather, staff indicated that, during the contracting process, all contract expenditures related to this Program are recorded as subrecipient expenditures, including service-related or vendor contracts. WHY DO THESE PROBLEMS MATTER? Performing timely and appropriate identification and monitoring of subrecipients, including ensuring that they undergo required Single Audits, provides the Department with a method to identify federal grant-related issues and to ensure its compliance with federal subrecipient monitoring requirements. By taking appropriate actions to address the results of its monitoring, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with Program requirements. This is particularly important because the Department passes 97 percent of these Program funds to subrecipients. The Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-075 The Department of Transportation (Department) should ensure that it improves its internal controls over, and complies with, federal Formula Grants for Rural Areas and Tribal Transit Program requirements for subrecipient monitoring by: A Ensuring that subrecipient monitoring policies and procedures are centralized, condensed, and available to all personnel who are responsible for performing subrecipient monitoring activities. The policies and procedures should clearly list responsibilities for each division within the Department and be inclusive of all monitoring activities performed and contain clear directives for acting on subrecipients? failure to comply with requirements, including providing its single audit report, by assessing possible impacts from the noncompliance and instituting appropriate alternative procedures. B Implementing a process for analyzing its contracted entities during the contracting and awarding process by reviewing the nature and terms of contracts, separately identifying the contracted entities as vendors or subrecipients, and recording the contract expenditures appropriately based on this assessment. RESPONSE DEPARTMENT OF TRANSPORTATION A AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include identifying a centralized location for all policies and procedures related to subrecipient monitoring. We will look at all policies and procedures to ensure they clearly identify responsibilities and requirements for non-compliance. B AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include establishing a process by which an analysis of contracted entities will be performed to identify and properly record entities as a vendor or subrecipient.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Transportation (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-068 The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department in the previous year and has not been remediated as of June 30, 2021, because the original implementation date provided by the Department is in a subsequent fiscal year. This complete finding and recommendation can be found in the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-075 FORMULA GRANTS FOR RURAL AREAS?INTERNAL CONTROLS AND COMPLIANCE WITH SUBRECIPIENT MONITORING The Department received funding from the Federal Transit Authority (FTA) for the Program during Fiscal Year 2020 and expended approximately $26.8 million under the Program; the expenditures included approximately $16.9 million from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The objective of this Program is to initiate, improve, or continue public transportation services in rural areas. FTA provides financial and technical assistance to local public transit systems, including buses, subways, light rail, commuter rail, trolleys, and ferries. FTA also oversees safety measures and helps develop next-generation technology research. Approximately $26.0 million (97 percent) of the Program funds expended by the Department were passed through to subrecipients in order to carry out a portion of the Program. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to determine whether the Department had effective internal controls in place during Fiscal Year 2020 over the Program, and complied with the Program?s subrecipient monitoring activities. As part of our audit work, we reviewed the Department?s internal controls over compliance for the Program?s subrecipient monitoring. In addition, we tested a random sample of five of 45 Program subrecipients for Fiscal Year 2020 to determine whether the subrecipient monitoring procedures the Department performed during the year were compliant with federal requirements. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Our audit work was designed to measure the results of compliance with the following criteria: ? Federal regulations [2 CFR 200.332(b)] require that the Department evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. Federal regulations [2 CFR 200.332(d)-(f)] also require the Department to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. Monitoring must include: ? Reviewing financial and programmatic reports. ? Following up and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award. ? Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity, as required by 2 CFR 200.521. ? Federal regulation [2 CFR 200.303] states that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The Department?s internal control policies and procedures require the Internal Audit Division to obtain and review single audit certification forms, whereby subrecipients are required to certify whether they are subject to a Single Audit. Internal Audit Division staff are required to review each certification and related Single Audit report, as applicable, and perform follow-up activities related to deficiencies and audit findings. ? Additionally, the Department is required to report the total amount of federal awards expended to the Office of the State Controller (OSC) via the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 is the document through which state departments report federal expenditure information to the OSC, including separate columns to indicate types of expenditures, for statewide compilation and reporting. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified issues related to two of the five (40 percent) Program subrecipients identified by the Department for Fiscal Year 2020 as follows: ? The Department did not take sufficient steps to address one subrecipient?s failure to obtain a 2019 Single Audit. Specifically, the subrecipient received approximately $78,500 in pass-through Program funding from the Department and communicated to the Department in its single audit certification for the year ending December 31, 2019, that it was subject to a Single Audit; however, that audit had not been conducted as of the completion of our Fiscal Year 2020 audit testwork in April 2021. While it appeared that the Department communicated various times with the subrecipient about the missing audit, the Department did not assess possible impacts from the missing audit or take any action to institute alternate monitoring procedures of the subrecipient. ? For the second subrecipient tested, the Department inappropriately considered the entity to be a subrecipient rather than a vendor and incorrectly reported $20,936 in funds paid to the entity as subrecipient expenditures on its Exhibit K1 submitted to the OSC. WHY DID THESE PROBLEMS OCCUR? The Department?s subrecipient policies and procedures are voluminous and performed throughout multiple divisions within the Department. Therefore, the results of monitoring procedures performed are documented in various areas and not contained in one central location. The Department also does not have policies and procedures in place to identify appropriate actions to be taken when issues are identified. In addition, the Department lacks a process for analyzing the types of entities it is contracting with for the Program in order to separately identify the entities as vendors or subrecipients; rather, staff indicated that, during the contracting process, all contract expenditures related to this Program are recorded as subrecipient expenditures, including service-related or vendor contracts. WHY DO THESE PROBLEMS MATTER? Performing timely and appropriate identification and monitoring of subrecipients, including ensuring that they undergo required Single Audits, provides the Department with a method to identify federal grant-related issues and to ensure its compliance with federal subrecipient monitoring requirements. By taking appropriate actions to address the results of its monitoring, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with Program requirements. This is particularly important because the Department passes 97 percent of these Program funds to subrecipients. The Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-075 The Department of Transportation (Department) should ensure that it improves its internal controls over, and complies with, federal Formula Grants for Rural Areas and Tribal Transit Program requirements for subrecipient monitoring by: A Ensuring that subrecipient monitoring policies and procedures are centralized, condensed, and available to all personnel who are responsible for performing subrecipient monitoring activities. The policies and procedures should clearly list responsibilities for each division within the Department and be inclusive of all monitoring activities performed and contain clear directives for acting on subrecipients? failure to comply with requirements, including providing its single audit report, by assessing possible impacts from the noncompliance and instituting appropriate alternative procedures. B Implementing a process for analyzing its contracted entities during the contracting and awarding process by reviewing the nature and terms of contracts, separately identifying the contracted entities as vendors or subrecipients, and recording the contract expenditures appropriately based on this assessment. RESPONSE DEPARTMENT OF TRANSPORTATION A AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include identifying a centralized location for all policies and procedures related to subrecipient monitoring. We will look at all policies and procedures to ensure they clearly identify responsibilities and requirements for non-compliance. B AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include establishing a process by which an analysis of contracted entities will be performed to identify and properly record entities as a vendor or subrecipient.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Transportation (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-068 The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department in the previous year and has not been remediated as of June 30, 2021, because the original implementation date provided by the Department is in a subsequent fiscal year. This complete finding and recommendation can be found in the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-075 FORMULA GRANTS FOR RURAL AREAS?INTERNAL CONTROLS AND COMPLIANCE WITH SUBRECIPIENT MONITORING The Department received funding from the Federal Transit Authority (FTA) for the Program during Fiscal Year 2020 and expended approximately $26.8 million under the Program; the expenditures included approximately $16.9 million from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The objective of this Program is to initiate, improve, or continue public transportation services in rural areas. FTA provides financial and technical assistance to local public transit systems, including buses, subways, light rail, commuter rail, trolleys, and ferries. FTA also oversees safety measures and helps develop next-generation technology research. Approximately $26.0 million (97 percent) of the Program funds expended by the Department were passed through to subrecipients in order to carry out a portion of the Program. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to determine whether the Department had effective internal controls in place during Fiscal Year 2020 over the Program, and complied with the Program?s subrecipient monitoring activities. As part of our audit work, we reviewed the Department?s internal controls over compliance for the Program?s subrecipient monitoring. In addition, we tested a random sample of five of 45 Program subrecipients for Fiscal Year 2020 to determine whether the subrecipient monitoring procedures the Department performed during the year were compliant with federal requirements. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Our audit work was designed to measure the results of compliance with the following criteria: ? Federal regulations [2 CFR 200.332(b)] require that the Department evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. Federal regulations [2 CFR 200.332(d)-(f)] also require the Department to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. Monitoring must include: ? Reviewing financial and programmatic reports. ? Following up and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award. ? Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity, as required by 2 CFR 200.521. ? Federal regulation [2 CFR 200.303] states that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The Department?s internal control policies and procedures require the Internal Audit Division to obtain and review single audit certification forms, whereby subrecipients are required to certify whether they are subject to a Single Audit. Internal Audit Division staff are required to review each certification and related Single Audit report, as applicable, and perform follow-up activities related to deficiencies and audit findings. ? Additionally, the Department is required to report the total amount of federal awards expended to the Office of the State Controller (OSC) via the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 is the document through which state departments report federal expenditure information to the OSC, including separate columns to indicate types of expenditures, for statewide compilation and reporting. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified issues related to two of the five (40 percent) Program subrecipients identified by the Department for Fiscal Year 2020 as follows: ? The Department did not take sufficient steps to address one subrecipient?s failure to obtain a 2019 Single Audit. Specifically, the subrecipient received approximately $78,500 in pass-through Program funding from the Department and communicated to the Department in its single audit certification for the year ending December 31, 2019, that it was subject to a Single Audit; however, that audit had not been conducted as of the completion of our Fiscal Year 2020 audit testwork in April 2021. While it appeared that the Department communicated various times with the subrecipient about the missing audit, the Department did not assess possible impacts from the missing audit or take any action to institute alternate monitoring procedures of the subrecipient. ? For the second subrecipient tested, the Department inappropriately considered the entity to be a subrecipient rather than a vendor and incorrectly reported $20,936 in funds paid to the entity as subrecipient expenditures on its Exhibit K1 submitted to the OSC. WHY DID THESE PROBLEMS OCCUR? The Department?s subrecipient policies and procedures are voluminous and performed throughout multiple divisions within the Department. Therefore, the results of monitoring procedures performed are documented in various areas and not contained in one central location. The Department also does not have policies and procedures in place to identify appropriate actions to be taken when issues are identified. In addition, the Department lacks a process for analyzing the types of entities it is contracting with for the Program in order to separately identify the entities as vendors or subrecipients; rather, staff indicated that, during the contracting process, all contract expenditures related to this Program are recorded as subrecipient expenditures, including service-related or vendor contracts. WHY DO THESE PROBLEMS MATTER? Performing timely and appropriate identification and monitoring of subrecipients, including ensuring that they undergo required Single Audits, provides the Department with a method to identify federal grant-related issues and to ensure its compliance with federal subrecipient monitoring requirements. By taking appropriate actions to address the results of its monitoring, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with Program requirements. This is particularly important because the Department passes 97 percent of these Program funds to subrecipients. The Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-075 The Department of Transportation (Department) should ensure that it improves its internal controls over, and complies with, federal Formula Grants for Rural Areas and Tribal Transit Program requirements for subrecipient monitoring by: A Ensuring that subrecipient monitoring policies and procedures are centralized, condensed, and available to all personnel who are responsible for performing subrecipient monitoring activities. The policies and procedures should clearly list responsibilities for each division within the Department and be inclusive of all monitoring activities performed and contain clear directives for acting on subrecipients? failure to comply with requirements, including providing its single audit report, by assessing possible impacts from the noncompliance and instituting appropriate alternative procedures. B Implementing a process for analyzing its contracted entities during the contracting and awarding process by reviewing the nature and terms of contracts, separately identifying the contracted entities as vendors or subrecipients, and recording the contract expenditures appropriately based on this assessment. RESPONSE DEPARTMENT OF TRANSPORTATION A AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include identifying a centralized location for all policies and procedures related to subrecipient monitoring. We will look at all policies and procedures to ensure they clearly identify responsibilities and requirements for non-compliance. B AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include establishing a process by which an analysis of contracted entities will be performed to identify and properly record entities as a vendor or subrecipient.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Transportation (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-068 The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department in the previous year and has not been remediated as of June 30, 2021, because the original implementation date provided by the Department is in a subsequent fiscal year. This complete finding and recommendation can be found in the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-075 FORMULA GRANTS FOR RURAL AREAS?INTERNAL CONTROLS AND COMPLIANCE WITH SUBRECIPIENT MONITORING The Department received funding from the Federal Transit Authority (FTA) for the Program during Fiscal Year 2020 and expended approximately $26.8 million under the Program; the expenditures included approximately $16.9 million from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The objective of this Program is to initiate, improve, or continue public transportation services in rural areas. FTA provides financial and technical assistance to local public transit systems, including buses, subways, light rail, commuter rail, trolleys, and ferries. FTA also oversees safety measures and helps develop next-generation technology research. Approximately $26.0 million (97 percent) of the Program funds expended by the Department were passed through to subrecipients in order to carry out a portion of the Program. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to determine whether the Department had effective internal controls in place during Fiscal Year 2020 over the Program, and complied with the Program?s subrecipient monitoring activities. As part of our audit work, we reviewed the Department?s internal controls over compliance for the Program?s subrecipient monitoring. In addition, we tested a random sample of five of 45 Program subrecipients for Fiscal Year 2020 to determine whether the subrecipient monitoring procedures the Department performed during the year were compliant with federal requirements. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Our audit work was designed to measure the results of compliance with the following criteria: ? Federal regulations [2 CFR 200.332(b)] require that the Department evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. Federal regulations [2 CFR 200.332(d)-(f)] also require the Department to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. Monitoring must include: ? Reviewing financial and programmatic reports. ? Following up and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award. ? Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity, as required by 2 CFR 200.521. ? Federal regulation [2 CFR 200.303] states that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The Department?s internal control policies and procedures require the Internal Audit Division to obtain and review single audit certification forms, whereby subrecipients are required to certify whether they are subject to a Single Audit. Internal Audit Division staff are required to review each certification and related Single Audit report, as applicable, and perform follow-up activities related to deficiencies and audit findings. ? Additionally, the Department is required to report the total amount of federal awards expended to the Office of the State Controller (OSC) via the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 is the document through which state departments report federal expenditure information to the OSC, including separate columns to indicate types of expenditures, for statewide compilation and reporting. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified issues related to two of the five (40 percent) Program subrecipients identified by the Department for Fiscal Year 2020 as follows: ? The Department did not take sufficient steps to address one subrecipient?s failure to obtain a 2019 Single Audit. Specifically, the subrecipient received approximately $78,500 in pass-through Program funding from the Department and communicated to the Department in its single audit certification for the year ending December 31, 2019, that it was subject to a Single Audit; however, that audit had not been conducted as of the completion of our Fiscal Year 2020 audit testwork in April 2021. While it appeared that the Department communicated various times with the subrecipient about the missing audit, the Department did not assess possible impacts from the missing audit or take any action to institute alternate monitoring procedures of the subrecipient. ? For the second subrecipient tested, the Department inappropriately considered the entity to be a subrecipient rather than a vendor and incorrectly reported $20,936 in funds paid to the entity as subrecipient expenditures on its Exhibit K1 submitted to the OSC. WHY DID THESE PROBLEMS OCCUR? The Department?s subrecipient policies and procedures are voluminous and performed throughout multiple divisions within the Department. Therefore, the results of monitoring procedures performed are documented in various areas and not contained in one central location. The Department also does not have policies and procedures in place to identify appropriate actions to be taken when issues are identified. In addition, the Department lacks a process for analyzing the types of entities it is contracting with for the Program in order to separately identify the entities as vendors or subrecipients; rather, staff indicated that, during the contracting process, all contract expenditures related to this Program are recorded as subrecipient expenditures, including service-related or vendor contracts. WHY DO THESE PROBLEMS MATTER? Performing timely and appropriate identification and monitoring of subrecipients, including ensuring that they undergo required Single Audits, provides the Department with a method to identify federal grant-related issues and to ensure its compliance with federal subrecipient monitoring requirements. By taking appropriate actions to address the results of its monitoring, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with Program requirements. This is particularly important because the Department passes 97 percent of these Program funds to subrecipients. The Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-075 The Department of Transportation (Department) should ensure that it improves its internal controls over, and complies with, federal Formula Grants for Rural Areas and Tribal Transit Program requirements for subrecipient monitoring by: A Ensuring that subrecipient monitoring policies and procedures are centralized, condensed, and available to all personnel who are responsible for performing subrecipient monitoring activities. The policies and procedures should clearly list responsibilities for each division within the Department and be inclusive of all monitoring activities performed and contain clear directives for acting on subrecipients? failure to comply with requirements, including providing its single audit report, by assessing possible impacts from the noncompliance and instituting appropriate alternative procedures. B Implementing a process for analyzing its contracted entities during the contracting and awarding process by reviewing the nature and terms of contracts, separately identifying the contracted entities as vendors or subrecipients, and recording the contract expenditures appropriately based on this assessment. RESPONSE DEPARTMENT OF TRANSPORTATION A AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include identifying a centralized location for all policies and procedures related to subrecipient monitoring. We will look at all policies and procedures to ensure they clearly identify responsibilities and requirements for non-compliance. B AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include establishing a process by which an analysis of contracted entities will be performed to identify and properly record entities as a vendor or subrecipient.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-079 Minerals Leasing Act?Subrecipient Monitoring In 1920, the U.S. Congress passed the Minerals Leasing Act. This Act directs the federal Office of Natural Resources Revenue (ONRR) within the U.S. Department of the Interior to share 50 percent of mineral leasing revenue received by the ONRR with states that generate mineral lease revenue. Mineral lease revenue results from payments made to the federal government by companies that lease federal land for the right to extract minerals from that land. According to the Act, revenue is to be used by states as each individual state?s legislature directs, giving priority to those sections of the state that are socially or economically impacted by the extraction of minerals. For Colorado, ONRR distributes Program funds to Treasury, which subgrants?or passes through?Program funds to the Department of Local Affairs (DOLA), the Department of Natural Resources (DNR), the Department of Higher Education (DHE), and the Department of Education (DOE), as prescribed by Section 34-63-102, C.R.S. In turn, DOLA passes the majority of the Program funds it receives to local governments impacted by mineral leasing, such as cities and counties. These local governments are considered subrecipients of the Program, and may use Program monies for ??planning; construction and maintenance of public facilities; and provision of public services.? During Fiscal Year 2022, ONRR distributed approximately $124.9 million in Program revenue to Treasury. Treasury passed all of the Program funds to DOLA, DNR, DHE, and DOE. DOLA then passed approximately $49.2 million of the $52.2 million in Program funds it received to local government subrecipients. DOLA retained the remaining $3.0 million in Program funds to cover administrative costs. DNR, DOE, and DHE spent the Program funds at the state level and did not pass any of the funds through to subrecipients. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether Treasury had adequate internal controls in place over, and complied with, federal subrecipient monitoring and reporting requirements for the Program during Fiscal Year 2022. As part of our testing, we reviewed Treasury?s progress in implementing our Fiscal Year 2020 audit recommendation related to subrecipient monitoring and reporting requirements for the Program. During that audit, we recommended that Treasury strengthen its internal controls to ensure that it complies with federal requirements for subrecipient monitoring and reporting for the Program by developing an effective monitoring process to ensure that required federal award information is communicated to Program subrecipients, including the Assistance Listing Number, program name, federal awarding agency, name of the department awarding the Program monies, Treasury department contact information, and dollar amount. In addition, we recommended that Treasury implement procedures to accurately prepare and submit the Exhibit K1, Schedule of Federal Assistance, to the Office of the State Controller (OSC) for reporting federal assistance information each year and to ensure the Exhibit K1 accurately reflects Program expenditures. During our Fiscal Year 2022 audit, we inquired about Treasury?s monitoring procedures over its Program subrecipients, including its required communications. We also reviewed Treasury?s Exhibit K1 to verify the accuracy of the information reported to the OSC and to assess Treasury?s compliance with federal reporting requirements and the OSC?s instructions. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: Federal regulations [2 CFR 200.303] require that Treasury, as a federal grant recipient, establish and maintain effective internal controls over federal awards that provide reasonable assurance that awards are being managed in compliance with federal statutes, regulation, and the terms and conditions of the federal award. Federal regulations [2 CFR 200.332] further require that Treasury, as the primary recipient of the Program monies, ensure that every subaward it makes is clearly identified to the subrecipient as a subaward, and that Treasury provides specific information about the Program to the subrecipients, including, but not limited to, the following: ? Assistance Listing Number ? Name of the program, name of the federal awarding agency, and name of the department awarding the Program monies ? Contact information for Treasury ? Dollar amount made available to the subrecipient ? Reporting requirements The State and any local governments receiving federal funds are required to present a Schedule of Expenditures of Federal Awards (SEFA) in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Federal regulations [2 CFR 200.501(b)] specifically require that the SEFA include information on each federal award expended during the year, including the total amount provided to subrecipients from each federal award. Any non-federal entity that expends $750,000 or more in total federal awards during the entity?s fiscal year must undergo a Single Audit or program-specific audit for that year. Federal regulations [2 CFR 200.332(f)] further require that Treasury, as the primary recipient of the Program funds, ensure that any non-state subrecipients receiving federal funds from the State during a given fiscal year report the funds on their respective SEFAs and, if applicable, undergo a Single Audit. The Exhibit K1 is used to report federal expenditure information to the OSC to aid the OSC in preparing the State?s SEFA, which reports the total federal awards expended by the State during the fiscal year. The instructions state that the OSC relies on the accuracy of amounts and other information reported on the Exhibit in preparing the SEFA. What problem did the audit work identify? We found that Treasury did not fully implement our prior audit recommendation related to federal subrecipient monitoring for the Program during Fiscal Year 2022. Specifically, we found that Treasury did not communicate, or ensure that DOLA communicated, the required award information and applicable federal compliance requirements to all Program subrecipients in accordance with federal regulations. In response to our prior audit recommendation, Treasury reported that they met with DOLA staff in June 2022 to discuss an interagency agreement that would establish expectations for DOLA to communicate required federal award information and applicable federal compliance requirements for this Program to subrecipients. However, as of the end of the fiscal year, this interagency agreement was not signed or in place. Further, Treasury, as the primary recipient of the Program funds, did not ensure that it or DOLA communicated and followed up with any non-state subrecipients receiving federal funds from the State during Fiscal Year 2022 to ensure the subrecipients reported the funds on their respective SEFAs and, if applicable, underwent a Single Audit. We determined that Treasury implemented part of our prior audit recommendation related to the preparation of its Exhibit K1 in accordance with federal requirements. Specifically, Treasury received information from pass-through departments in order to properly determine whether Program funds ultimately flowed through to subrecipients and reported these funds as ?Expenditures -Passed Through to Subrecipient? on Treasury?s Exhibit K1. Why did this problem occur? Treasury did not have adequate internal controls in place during Fiscal Year 2022 to ensure that it complied with federal subrecipient monitoring requirements for the Program. Specifically, Treasury staff did not effectively communicate with DOLA staff about their responsibility for subrecipient reporting or have a monitoring process in place to ensure that either Treasury or DOLA staff communicated required federal award information and related federal reporting requirements to all subrecipients of Program funds, including a communication that any subrecipients receiving Program funds from the State during Fiscal Year 2022 are required to report the funds on their respective SEFAs and, if applicable, undergo a Single Audit. Why does this problem matter? By not communicating required information to subrecipients, Treasury failed to comply with federal subrecipient monitoring requirements for the Program. This communication is necessary to ensure that subrecipients are aware of the federal requirements for the funds, including the requirement that local governments properly report federal expenditures on their SEFAs. Treasury?s insufficient monitoring of Program subrecipients could result in future federal funding being reduced. In addition, if Treasury does not appropriately communicate SEFA reporting requirements to other state agencies and non-state subrecipients in the future, it could ultimately result in local governments not undergoing Single Audits, as required. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-079 The Department of the Treasury (Treasury) should strengthen its internal controls to ensure that it complies with federal requirements for subrecipient monitoring and reporting for the Minerals Leasing Act program (Program). This should include developing effective processes to ensure that required federal award information, including the Assistance Listing Number, federal program name, and dollar amount made available to the subrecipient, and the related federal requirements are communicated to Program subrecipients, and that the subrecipients report the funds on their respective annual Schedules of Expenditures of Federal Awards and, if applicable, undergo a Single Audit. Response Department of The Treasury Agree Implementation Date: June 30, 2023 The Department of the Treasury (Treasury) strengthened its internal controls with DOLA?s agreement to disseminate the necessary information to the subrecipients in compliance with federal requirements for subrecipient monitoring and reporting for the Minerals Leasing Act program (Program) at the earliest possible opportunity following receipt of the recommendation in the previous FYE?s report as the monitoring and reporting for the Program could only be performed following the annual distribution of such funds which took place subsequent to FYE 2022. The Department will formalize an Interagency Agreement with DOLA and any other relevant parties, incorporating additional corrective action before the stated date above (June 30, 2023).
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Local Affairs (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-066 Section 8 Housing Choice Vouchers and Mainstream Vouchers Programs?Internal Controls over the Waiting List The Department annually receives advance payments from the federal government for the Housing Voucher Programs (Program) to provide tenant-based subsidies for rent paid by low-income households. A housing subsidy is paid to the landlord directly by the Department on behalf of the Program?s participants. During Fiscal Year 2021, the Department incurred approximately $62.9 million in federal costs for the Housing Voucher Programs. Federal regulation [24 CFR 982.54] requires the Department to have an administrative plan to establish policies for carrying out the Program in a manner consistent with the U.S. Department of Housing and Urban Development (HUD) requirements and local goals and objectives. HUD requires the Division of Housing (DOH), a section within the Department, to place all families that apply for assistance on a waiting list. DOH must select families from the waiting list and maintain clear records of all information required to verify that the family is selected from the waiting list according to HUD requirements and Department policies as stated in the Department?s administrative plan [24 CFR 982.204(b) and 982.207(e)]. The DOH maintains the waiting list in an electronic database within its Public Housing Agencies (PHA) Software, called Emphasys Elite. DOH has established preferences for order of selection off of the waiting list, and gives priority or first preference (point system) to serving families that meet various criteria, including someone experiencing homelessness, a person with a disability, households that include victims of domestic violence, etc. The second preference for selecting from the waiting list is based on when DOH placed the individual on the waiting list, by date and time. HUD may also award the Department funding for a specified category of families on the waiting list (targeted funding [24 CFR 982.204(e)]). DOH must use this funding only to assist families within the specified category allowed by the targeted funding. DOH administers the following types of targeted funding: Veterans Affairs Supporting Housing (VASH), Non-Elderly Disabled, Family Unification Program, and Family Self-Sufficiency. DOH delegates some of its voucher administration responsibilities, such as application reviews and interviews with applicants, to agencies that provide housing services to applicants and participants of the Program. These agencies, or contractors, include public housing authorities, community mental health centers, community centered boards or their contract service agencies, independent living centers, the Veterans Affairs Medical Center (VAMC), homeless service providers, and others. DOH will enter into a contract with these agencies that outline each party?s responsibilities. Contractors employ housing coordinators who assist applicants and participants to complete the necessary Program documentation and understand regulations to help them acquire and maintain units that conform to Program regulations. DOH provides each contractor with vouchers to give eligible applicants. When a contractor has available vouchers, it will ask the DOH to select and issue the next name(s) from its waiting list. DOH then uses its electronic database to select individuals from the waiting list. In order for an applicant to receive the voucher, the applicant must first attend an interview with the contractor. At the interview, the contractor will determine whether the applicant is eligible based on requiring the applicant to complete a full application and provide proof of income sources, social security number, citizenship status, release of information forms, federal or state-issued picture ID, and birth certificate, as well as the contractor?s verification of those items. If it is determined at the interview that the applicant is not eligible, the voucher will be terminated in the Emphasys Elite system and the voucher can be used for the next applicant in line on the waiting list. HUD regulations require that all families have an equal opportunity to apply for and receive housing assistance [24 CFR 982.53]. DOH must also have policies regarding various aspects of organizing and managing the waiting list of applicant families. This includes opening the list to new applicants, closing the list to new applicants, notifying the public of waiting list openings and closings, updating waiting list information, and removing families that are no longer interested in or eligible for assistance from the list. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place over, and complied with, federal requirements related to the Program?s waiting list during Fiscal Year 2021. We requested and obtained a report from the Department that showed all individuals that were added to the Program during Fiscal Year 2021. We selected and tested 40 of these individuals admitted to the Program during Fiscal Year 2021 to determine if they were selected from the waiting list in accordance with the Department?s applicant selection policies. We also requested and obtained another report from the Department that showed any individuals selected from the waiting list due to reaching the top position on the waiting list during Fiscal Year 2021, regardless of whether the individuals were added or not added to the Program. From this report, we selected and tested 40 different individuals to ascertain if they were admitted to the Program or provided the opportunity to be admitted to the Program in accordance with the Department?s applicant selection policies. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [24 CFR 5.410, 982.54(d), and 982.201 through 982.207] require the Department to have written policies in its administrative plan for selecting applicants from the waiting list and documentation must show that the Department follows these policies when selecting applicants for admission from the waiting list. Selection from the waiting list generally occurs when the Department notifies a family whose name reaches the top of the waiting list to come in to verify eligibility for admission to the Program. ? The Department?s administrative plan states that when a family wishes to receive assistance under the Program, the family must submit an application that provides DOH with the information needed to determine the family?s eligibility [HCV GB, pp. 4-11 ? 4-16, Notice PIH 2009-36]. ? Federal regulation [24 CFR 982.207] requires that DOH select applicant families from the waiting list first by preference and secondly by date and time of application. ? Federal regulations [24 CFR 982.554(a)] specify that when a family has been selected from the waiting list for an application interview, DOH and/or its contractor will notify the family and the family will be required to participate in the interview. The notice must inform the family of the date, time, and location of the scheduled application interview, who is required to attend the interview, and all documents that must be provided by the family at the interview. ? Federal regulations [24 CFR 982.201(f) and 982.204(c)] establish the rules for removing Program participants from the waiting list. If at any time an applicant family is on the waiting list and DOH determines that the family is not eligible for assistance, the family will be removed from the waiting list. Federal regulations further state the family may also remove itself from the waiting list at any time by requesting removal in writing. If a family is removed from the waiting list because DOH has determined the family is not eligible for assistance, a notice must be sent to the family?s address of record as well as to any alternate address provided on the initial application. The notice must state the reasons the family was removed from the waiting list and inform the family how to request an informal review regarding DOH?s decision. ? Uniform Guidance [2 CFR 200.303] requires that the Department, as a federal grant recipient, establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. What problems did the audit work identify? During our testing of 40 individuals admitted to the Program during Fiscal Year 2021, we found that the Department could not provide appropriate support for 5 of the 40 (12.5 percent) tenant files reviewed. Specifically: ? For five individuals, the Department could not provide documentation of the eligibility interview. ? For one of those five individuals, the Department also could not locate the individual?s application. During our testing of 40 individuals that the Department selected from the waiting list due to the individuals reaching the top of the waiting list during Fiscal Year 2021, we found certain issues with 8 of the 40 (20 percent) tenant files reviewed. Specifically: ? In five instances, individuals were selected from the waiting list out of turn; therefore, they were not at the top of the waiting list when selected, as required. ? In three instances, the Department could not provide the applications for the individuals. Why did these problems occur? The Department lacked internal controls over the Program?s waiting list. Specifically, the Department is not ensuring its contractors are maintaining supporting documentation within tenant files, including interview documentation and applications. Both the Department and its contractors experienced employee turnover in Fiscal Year 2021. Although the Department conducted monthly webinars for various training manuals, including the administrative plan, and made training materials available for future reference, new employees did not receive sufficient training to ensure the Department complied with Program requirements over the waiting list. In addition, the Department did not properly train the DOH employees on the policies and procedures for maintaining and selecting applicants from the waiting list, which ultimately led to applicants being incorrectly selected from the waiting list. Specifically, DOH did not properly update the waiting list for new applicants and addressing unused vouchers from prior selections, which caused individuals to be incorrectly selected from the waiting list. Why do these problems matter? By not maintaining the waiting list supporting documentation, including interview documentation and applications, the Department cannot ensure that all tenants are eligible or qualified to participate in the Program. The Department must ensure it maintains accurate and complete tenant files to demonstrate compliance with federal requirements. Additionally, by not training employees properly on the Department?s policies and procedures surrounding the waiting list, applicants are at risk of being improperly removed from the waiting list and not given the opportunity to receive funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-066 The Department of Local Affairs (Department) should strengthen its internal controls to ensure it complies with waiting list requirements for the federal Section 8 Housing Choice Vouchers and Mainstream Vouchers programs. Specifically, this should include the Department developing and providing a training plan for its contractors that covers all of the programs? requirements on an ongoing basis. In addition, the Department should ensure its new employees are trained and able to properly run the waiting list in accordance with the Department?s policies and procedures, which includes ensuring the waiting list is properly updated for new applicants and addressing unused vouchers prior to making waiting list selections. Response Department of Local Affairs Agree Implementation Date: February 2023 The Department of Local Affairs (Department) agrees with the recommendation. The Department will strengthen its internal controls through the development of an onboarding program that will include different modules that new employees and/or contractors must work through to receive certification. These modules will include all relevant steps associated with the waiting list process.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Local Affairs (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-066 Section 8 Housing Choice Vouchers and Mainstream Vouchers Programs?Internal Controls over the Waiting List The Department annually receives advance payments from the federal government for the Housing Voucher Programs (Program) to provide tenant-based subsidies for rent paid by low-income households. A housing subsidy is paid to the landlord directly by the Department on behalf of the Program?s participants. During Fiscal Year 2021, the Department incurred approximately $62.9 million in federal costs for the Housing Voucher Programs. Federal regulation [24 CFR 982.54] requires the Department to have an administrative plan to establish policies for carrying out the Program in a manner consistent with the U.S. Department of Housing and Urban Development (HUD) requirements and local goals and objectives. HUD requires the Division of Housing (DOH), a section within the Department, to place all families that apply for assistance on a waiting list. DOH must select families from the waiting list and maintain clear records of all information required to verify that the family is selected from the waiting list according to HUD requirements and Department policies as stated in the Department?s administrative plan [24 CFR 982.204(b) and 982.207(e)]. The DOH maintains the waiting list in an electronic database within its Public Housing Agencies (PHA) Software, called Emphasys Elite. DOH has established preferences for order of selection off of the waiting list, and gives priority or first preference (point system) to serving families that meet various criteria, including someone experiencing homelessness, a person with a disability, households that include victims of domestic violence, etc. The second preference for selecting from the waiting list is based on when DOH placed the individual on the waiting list, by date and time. HUD may also award the Department funding for a specified category of families on the waiting list (targeted funding [24 CFR 982.204(e)]). DOH must use this funding only to assist families within the specified category allowed by the targeted funding. DOH administers the following types of targeted funding: Veterans Affairs Supporting Housing (VASH), Non-Elderly Disabled, Family Unification Program, and Family Self-Sufficiency. DOH delegates some of its voucher administration responsibilities, such as application reviews and interviews with applicants, to agencies that provide housing services to applicants and participants of the Program. These agencies, or contractors, include public housing authorities, community mental health centers, community centered boards or their contract service agencies, independent living centers, the Veterans Affairs Medical Center (VAMC), homeless service providers, and others. DOH will enter into a contract with these agencies that outline each party?s responsibilities. Contractors employ housing coordinators who assist applicants and participants to complete the necessary Program documentation and understand regulations to help them acquire and maintain units that conform to Program regulations. DOH provides each contractor with vouchers to give eligible applicants. When a contractor has available vouchers, it will ask the DOH to select and issue the next name(s) from its waiting list. DOH then uses its electronic database to select individuals from the waiting list. In order for an applicant to receive the voucher, the applicant must first attend an interview with the contractor. At the interview, the contractor will determine whether the applicant is eligible based on requiring the applicant to complete a full application and provide proof of income sources, social security number, citizenship status, release of information forms, federal or state-issued picture ID, and birth certificate, as well as the contractor?s verification of those items. If it is determined at the interview that the applicant is not eligible, the voucher will be terminated in the Emphasys Elite system and the voucher can be used for the next applicant in line on the waiting list. HUD regulations require that all families have an equal opportunity to apply for and receive housing assistance [24 CFR 982.53]. DOH must also have policies regarding various aspects of organizing and managing the waiting list of applicant families. This includes opening the list to new applicants, closing the list to new applicants, notifying the public of waiting list openings and closings, updating waiting list information, and removing families that are no longer interested in or eligible for assistance from the list. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place over, and complied with, federal requirements related to the Program?s waiting list during Fiscal Year 2021. We requested and obtained a report from the Department that showed all individuals that were added to the Program during Fiscal Year 2021. We selected and tested 40 of these individuals admitted to the Program during Fiscal Year 2021 to determine if they were selected from the waiting list in accordance with the Department?s applicant selection policies. We also requested and obtained another report from the Department that showed any individuals selected from the waiting list due to reaching the top position on the waiting list during Fiscal Year 2021, regardless of whether the individuals were added or not added to the Program. From this report, we selected and tested 40 different individuals to ascertain if they were admitted to the Program or provided the opportunity to be admitted to the Program in accordance with the Department?s applicant selection policies. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [24 CFR 5.410, 982.54(d), and 982.201 through 982.207] require the Department to have written policies in its administrative plan for selecting applicants from the waiting list and documentation must show that the Department follows these policies when selecting applicants for admission from the waiting list. Selection from the waiting list generally occurs when the Department notifies a family whose name reaches the top of the waiting list to come in to verify eligibility for admission to the Program. ? The Department?s administrative plan states that when a family wishes to receive assistance under the Program, the family must submit an application that provides DOH with the information needed to determine the family?s eligibility [HCV GB, pp. 4-11 ? 4-16, Notice PIH 2009-36]. ? Federal regulation [24 CFR 982.207] requires that DOH select applicant families from the waiting list first by preference and secondly by date and time of application. ? Federal regulations [24 CFR 982.554(a)] specify that when a family has been selected from the waiting list for an application interview, DOH and/or its contractor will notify the family and the family will be required to participate in the interview. The notice must inform the family of the date, time, and location of the scheduled application interview, who is required to attend the interview, and all documents that must be provided by the family at the interview. ? Federal regulations [24 CFR 982.201(f) and 982.204(c)] establish the rules for removing Program participants from the waiting list. If at any time an applicant family is on the waiting list and DOH determines that the family is not eligible for assistance, the family will be removed from the waiting list. Federal regulations further state the family may also remove itself from the waiting list at any time by requesting removal in writing. If a family is removed from the waiting list because DOH has determined the family is not eligible for assistance, a notice must be sent to the family?s address of record as well as to any alternate address provided on the initial application. The notice must state the reasons the family was removed from the waiting list and inform the family how to request an informal review regarding DOH?s decision. ? Uniform Guidance [2 CFR 200.303] requires that the Department, as a federal grant recipient, establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. What problems did the audit work identify? During our testing of 40 individuals admitted to the Program during Fiscal Year 2021, we found that the Department could not provide appropriate support for 5 of the 40 (12.5 percent) tenant files reviewed. Specifically: ? For five individuals, the Department could not provide documentation of the eligibility interview. ? For one of those five individuals, the Department also could not locate the individual?s application. During our testing of 40 individuals that the Department selected from the waiting list due to the individuals reaching the top of the waiting list during Fiscal Year 2021, we found certain issues with 8 of the 40 (20 percent) tenant files reviewed. Specifically: ? In five instances, individuals were selected from the waiting list out of turn; therefore, they were not at the top of the waiting list when selected, as required. ? In three instances, the Department could not provide the applications for the individuals. Why did these problems occur? The Department lacked internal controls over the Program?s waiting list. Specifically, the Department is not ensuring its contractors are maintaining supporting documentation within tenant files, including interview documentation and applications. Both the Department and its contractors experienced employee turnover in Fiscal Year 2021. Although the Department conducted monthly webinars for various training manuals, including the administrative plan, and made training materials available for future reference, new employees did not receive sufficient training to ensure the Department complied with Program requirements over the waiting list. In addition, the Department did not properly train the DOH employees on the policies and procedures for maintaining and selecting applicants from the waiting list, which ultimately led to applicants being incorrectly selected from the waiting list. Specifically, DOH did not properly update the waiting list for new applicants and addressing unused vouchers from prior selections, which caused individuals to be incorrectly selected from the waiting list. Why do these problems matter? By not maintaining the waiting list supporting documentation, including interview documentation and applications, the Department cannot ensure that all tenants are eligible or qualified to participate in the Program. The Department must ensure it maintains accurate and complete tenant files to demonstrate compliance with federal requirements. Additionally, by not training employees properly on the Department?s policies and procedures surrounding the waiting list, applicants are at risk of being improperly removed from the waiting list and not given the opportunity to receive funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-066 The Department of Local Affairs (Department) should strengthen its internal controls to ensure it complies with waiting list requirements for the federal Section 8 Housing Choice Vouchers and Mainstream Vouchers programs. Specifically, this should include the Department developing and providing a training plan for its contractors that covers all of the programs? requirements on an ongoing basis. In addition, the Department should ensure its new employees are trained and able to properly run the waiting list in accordance with the Department?s policies and procedures, which includes ensuring the waiting list is properly updated for new applicants and addressing unused vouchers prior to making waiting list selections. Response Department of Local Affairs Agree Implementation Date: February 2023 The Department of Local Affairs (Department) agrees with the recommendation. The Department will strengthen its internal controls through the development of an onboarding program that will include different modules that new employees and/or contractors must work through to receive certification. These modules will include all relevant steps associated with the waiting list process.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Local Affairs (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-066 Section 8 Housing Choice Vouchers and Mainstream Vouchers Programs?Internal Controls over the Waiting List The Department annually receives advance payments from the federal government for the Housing Voucher Programs (Program) to provide tenant-based subsidies for rent paid by low-income households. A housing subsidy is paid to the landlord directly by the Department on behalf of the Program?s participants. During Fiscal Year 2021, the Department incurred approximately $62.9 million in federal costs for the Housing Voucher Programs. Federal regulation [24 CFR 982.54] requires the Department to have an administrative plan to establish policies for carrying out the Program in a manner consistent with the U.S. Department of Housing and Urban Development (HUD) requirements and local goals and objectives. HUD requires the Division of Housing (DOH), a section within the Department, to place all families that apply for assistance on a waiting list. DOH must select families from the waiting list and maintain clear records of all information required to verify that the family is selected from the waiting list according to HUD requirements and Department policies as stated in the Department?s administrative plan [24 CFR 982.204(b) and 982.207(e)]. The DOH maintains the waiting list in an electronic database within its Public Housing Agencies (PHA) Software, called Emphasys Elite. DOH has established preferences for order of selection off of the waiting list, and gives priority or first preference (point system) to serving families that meet various criteria, including someone experiencing homelessness, a person with a disability, households that include victims of domestic violence, etc. The second preference for selecting from the waiting list is based on when DOH placed the individual on the waiting list, by date and time. HUD may also award the Department funding for a specified category of families on the waiting list (targeted funding [24 CFR 982.204(e)]). DOH must use this funding only to assist families within the specified category allowed by the targeted funding. DOH administers the following types of targeted funding: Veterans Affairs Supporting Housing (VASH), Non-Elderly Disabled, Family Unification Program, and Family Self-Sufficiency. DOH delegates some of its voucher administration responsibilities, such as application reviews and interviews with applicants, to agencies that provide housing services to applicants and participants of the Program. These agencies, or contractors, include public housing authorities, community mental health centers, community centered boards or their contract service agencies, independent living centers, the Veterans Affairs Medical Center (VAMC), homeless service providers, and others. DOH will enter into a contract with these agencies that outline each party?s responsibilities. Contractors employ housing coordinators who assist applicants and participants to complete the necessary Program documentation and understand regulations to help them acquire and maintain units that conform to Program regulations. DOH provides each contractor with vouchers to give eligible applicants. When a contractor has available vouchers, it will ask the DOH to select and issue the next name(s) from its waiting list. DOH then uses its electronic database to select individuals from the waiting list. In order for an applicant to receive the voucher, the applicant must first attend an interview with the contractor. At the interview, the contractor will determine whether the applicant is eligible based on requiring the applicant to complete a full application and provide proof of income sources, social security number, citizenship status, release of information forms, federal or state-issued picture ID, and birth certificate, as well as the contractor?s verification of those items. If it is determined at the interview that the applicant is not eligible, the voucher will be terminated in the Emphasys Elite system and the voucher can be used for the next applicant in line on the waiting list. HUD regulations require that all families have an equal opportunity to apply for and receive housing assistance [24 CFR 982.53]. DOH must also have policies regarding various aspects of organizing and managing the waiting list of applicant families. This includes opening the list to new applicants, closing the list to new applicants, notifying the public of waiting list openings and closings, updating waiting list information, and removing families that are no longer interested in or eligible for assistance from the list. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place over, and complied with, federal requirements related to the Program?s waiting list during Fiscal Year 2021. We requested and obtained a report from the Department that showed all individuals that were added to the Program during Fiscal Year 2021. We selected and tested 40 of these individuals admitted to the Program during Fiscal Year 2021 to determine if they were selected from the waiting list in accordance with the Department?s applicant selection policies. We also requested and obtained another report from the Department that showed any individuals selected from the waiting list due to reaching the top position on the waiting list during Fiscal Year 2021, regardless of whether the individuals were added or not added to the Program. From this report, we selected and tested 40 different individuals to ascertain if they were admitted to the Program or provided the opportunity to be admitted to the Program in accordance with the Department?s applicant selection policies. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [24 CFR 5.410, 982.54(d), and 982.201 through 982.207] require the Department to have written policies in its administrative plan for selecting applicants from the waiting list and documentation must show that the Department follows these policies when selecting applicants for admission from the waiting list. Selection from the waiting list generally occurs when the Department notifies a family whose name reaches the top of the waiting list to come in to verify eligibility for admission to the Program. ? The Department?s administrative plan states that when a family wishes to receive assistance under the Program, the family must submit an application that provides DOH with the information needed to determine the family?s eligibility [HCV GB, pp. 4-11 ? 4-16, Notice PIH 2009-36]. ? Federal regulation [24 CFR 982.207] requires that DOH select applicant families from the waiting list first by preference and secondly by date and time of application. ? Federal regulations [24 CFR 982.554(a)] specify that when a family has been selected from the waiting list for an application interview, DOH and/or its contractor will notify the family and the family will be required to participate in the interview. The notice must inform the family of the date, time, and location of the scheduled application interview, who is required to attend the interview, and all documents that must be provided by the family at the interview. ? Federal regulations [24 CFR 982.201(f) and 982.204(c)] establish the rules for removing Program participants from the waiting list. If at any time an applicant family is on the waiting list and DOH determines that the family is not eligible for assistance, the family will be removed from the waiting list. Federal regulations further state the family may also remove itself from the waiting list at any time by requesting removal in writing. If a family is removed from the waiting list because DOH has determined the family is not eligible for assistance, a notice must be sent to the family?s address of record as well as to any alternate address provided on the initial application. The notice must state the reasons the family was removed from the waiting list and inform the family how to request an informal review regarding DOH?s decision. ? Uniform Guidance [2 CFR 200.303] requires that the Department, as a federal grant recipient, establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. What problems did the audit work identify? During our testing of 40 individuals admitted to the Program during Fiscal Year 2021, we found that the Department could not provide appropriate support for 5 of the 40 (12.5 percent) tenant files reviewed. Specifically: ? For five individuals, the Department could not provide documentation of the eligibility interview. ? For one of those five individuals, the Department also could not locate the individual?s application. During our testing of 40 individuals that the Department selected from the waiting list due to the individuals reaching the top of the waiting list during Fiscal Year 2021, we found certain issues with 8 of the 40 (20 percent) tenant files reviewed. Specifically: ? In five instances, individuals were selected from the waiting list out of turn; therefore, they were not at the top of the waiting list when selected, as required. ? In three instances, the Department could not provide the applications for the individuals. Why did these problems occur? The Department lacked internal controls over the Program?s waiting list. Specifically, the Department is not ensuring its contractors are maintaining supporting documentation within tenant files, including interview documentation and applications. Both the Department and its contractors experienced employee turnover in Fiscal Year 2021. Although the Department conducted monthly webinars for various training manuals, including the administrative plan, and made training materials available for future reference, new employees did not receive sufficient training to ensure the Department complied with Program requirements over the waiting list. In addition, the Department did not properly train the DOH employees on the policies and procedures for maintaining and selecting applicants from the waiting list, which ultimately led to applicants being incorrectly selected from the waiting list. Specifically, DOH did not properly update the waiting list for new applicants and addressing unused vouchers from prior selections, which caused individuals to be incorrectly selected from the waiting list. Why do these problems matter? By not maintaining the waiting list supporting documentation, including interview documentation and applications, the Department cannot ensure that all tenants are eligible or qualified to participate in the Program. The Department must ensure it maintains accurate and complete tenant files to demonstrate compliance with federal requirements. Additionally, by not training employees properly on the Department?s policies and procedures surrounding the waiting list, applicants are at risk of being improperly removed from the waiting list and not given the opportunity to receive funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-066 The Department of Local Affairs (Department) should strengthen its internal controls to ensure it complies with waiting list requirements for the federal Section 8 Housing Choice Vouchers and Mainstream Vouchers programs. Specifically, this should include the Department developing and providing a training plan for its contractors that covers all of the programs? requirements on an ongoing basis. In addition, the Department should ensure its new employees are trained and able to properly run the waiting list in accordance with the Department?s policies and procedures, which includes ensuring the waiting list is properly updated for new applicants and addressing unused vouchers prior to making waiting list selections. Response Department of Local Affairs Agree Implementation Date: February 2023 The Department of Local Affairs (Department) agrees with the recommendation. The Department will strengthen its internal controls through the development of an onboarding program that will include different modules that new employees and/or contractors must work through to receive certification. These modules will include all relevant steps associated with the waiting list process.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Local Affairs (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-066 Section 8 Housing Choice Vouchers and Mainstream Vouchers Programs?Internal Controls over the Waiting List The Department annually receives advance payments from the federal government for the Housing Voucher Programs (Program) to provide tenant-based subsidies for rent paid by low-income households. A housing subsidy is paid to the landlord directly by the Department on behalf of the Program?s participants. During Fiscal Year 2021, the Department incurred approximately $62.9 million in federal costs for the Housing Voucher Programs. Federal regulation [24 CFR 982.54] requires the Department to have an administrative plan to establish policies for carrying out the Program in a manner consistent with the U.S. Department of Housing and Urban Development (HUD) requirements and local goals and objectives. HUD requires the Division of Housing (DOH), a section within the Department, to place all families that apply for assistance on a waiting list. DOH must select families from the waiting list and maintain clear records of all information required to verify that the family is selected from the waiting list according to HUD requirements and Department policies as stated in the Department?s administrative plan [24 CFR 982.204(b) and 982.207(e)]. The DOH maintains the waiting list in an electronic database within its Public Housing Agencies (PHA) Software, called Emphasys Elite. DOH has established preferences for order of selection off of the waiting list, and gives priority or first preference (point system) to serving families that meet various criteria, including someone experiencing homelessness, a person with a disability, households that include victims of domestic violence, etc. The second preference for selecting from the waiting list is based on when DOH placed the individual on the waiting list, by date and time. HUD may also award the Department funding for a specified category of families on the waiting list (targeted funding [24 CFR 982.204(e)]). DOH must use this funding only to assist families within the specified category allowed by the targeted funding. DOH administers the following types of targeted funding: Veterans Affairs Supporting Housing (VASH), Non-Elderly Disabled, Family Unification Program, and Family Self-Sufficiency. DOH delegates some of its voucher administration responsibilities, such as application reviews and interviews with applicants, to agencies that provide housing services to applicants and participants of the Program. These agencies, or contractors, include public housing authorities, community mental health centers, community centered boards or their contract service agencies, independent living centers, the Veterans Affairs Medical Center (VAMC), homeless service providers, and others. DOH will enter into a contract with these agencies that outline each party?s responsibilities. Contractors employ housing coordinators who assist applicants and participants to complete the necessary Program documentation and understand regulations to help them acquire and maintain units that conform to Program regulations. DOH provides each contractor with vouchers to give eligible applicants. When a contractor has available vouchers, it will ask the DOH to select and issue the next name(s) from its waiting list. DOH then uses its electronic database to select individuals from the waiting list. In order for an applicant to receive the voucher, the applicant must first attend an interview with the contractor. At the interview, the contractor will determine whether the applicant is eligible based on requiring the applicant to complete a full application and provide proof of income sources, social security number, citizenship status, release of information forms, federal or state-issued picture ID, and birth certificate, as well as the contractor?s verification of those items. If it is determined at the interview that the applicant is not eligible, the voucher will be terminated in the Emphasys Elite system and the voucher can be used for the next applicant in line on the waiting list. HUD regulations require that all families have an equal opportunity to apply for and receive housing assistance [24 CFR 982.53]. DOH must also have policies regarding various aspects of organizing and managing the waiting list of applicant families. This includes opening the list to new applicants, closing the list to new applicants, notifying the public of waiting list openings and closings, updating waiting list information, and removing families that are no longer interested in or eligible for assistance from the list. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place over, and complied with, federal requirements related to the Program?s waiting list during Fiscal Year 2021. We requested and obtained a report from the Department that showed all individuals that were added to the Program during Fiscal Year 2021. We selected and tested 40 of these individuals admitted to the Program during Fiscal Year 2021 to determine if they were selected from the waiting list in accordance with the Department?s applicant selection policies. We also requested and obtained another report from the Department that showed any individuals selected from the waiting list due to reaching the top position on the waiting list during Fiscal Year 2021, regardless of whether the individuals were added or not added to the Program. From this report, we selected and tested 40 different individuals to ascertain if they were admitted to the Program or provided the opportunity to be admitted to the Program in accordance with the Department?s applicant selection policies. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [24 CFR 5.410, 982.54(d), and 982.201 through 982.207] require the Department to have written policies in its administrative plan for selecting applicants from the waiting list and documentation must show that the Department follows these policies when selecting applicants for admission from the waiting list. Selection from the waiting list generally occurs when the Department notifies a family whose name reaches the top of the waiting list to come in to verify eligibility for admission to the Program. ? The Department?s administrative plan states that when a family wishes to receive assistance under the Program, the family must submit an application that provides DOH with the information needed to determine the family?s eligibility [HCV GB, pp. 4-11 ? 4-16, Notice PIH 2009-36]. ? Federal regulation [24 CFR 982.207] requires that DOH select applicant families from the waiting list first by preference and secondly by date and time of application. ? Federal regulations [24 CFR 982.554(a)] specify that when a family has been selected from the waiting list for an application interview, DOH and/or its contractor will notify the family and the family will be required to participate in the interview. The notice must inform the family of the date, time, and location of the scheduled application interview, who is required to attend the interview, and all documents that must be provided by the family at the interview. ? Federal regulations [24 CFR 982.201(f) and 982.204(c)] establish the rules for removing Program participants from the waiting list. If at any time an applicant family is on the waiting list and DOH determines that the family is not eligible for assistance, the family will be removed from the waiting list. Federal regulations further state the family may also remove itself from the waiting list at any time by requesting removal in writing. If a family is removed from the waiting list because DOH has determined the family is not eligible for assistance, a notice must be sent to the family?s address of record as well as to any alternate address provided on the initial application. The notice must state the reasons the family was removed from the waiting list and inform the family how to request an informal review regarding DOH?s decision. ? Uniform Guidance [2 CFR 200.303] requires that the Department, as a federal grant recipient, establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. What problems did the audit work identify? During our testing of 40 individuals admitted to the Program during Fiscal Year 2021, we found that the Department could not provide appropriate support for 5 of the 40 (12.5 percent) tenant files reviewed. Specifically: ? For five individuals, the Department could not provide documentation of the eligibility interview. ? For one of those five individuals, the Department also could not locate the individual?s application. During our testing of 40 individuals that the Department selected from the waiting list due to the individuals reaching the top of the waiting list during Fiscal Year 2021, we found certain issues with 8 of the 40 (20 percent) tenant files reviewed. Specifically: ? In five instances, individuals were selected from the waiting list out of turn; therefore, they were not at the top of the waiting list when selected, as required. ? In three instances, the Department could not provide the applications for the individuals. Why did these problems occur? The Department lacked internal controls over the Program?s waiting list. Specifically, the Department is not ensuring its contractors are maintaining supporting documentation within tenant files, including interview documentation and applications. Both the Department and its contractors experienced employee turnover in Fiscal Year 2021. Although the Department conducted monthly webinars for various training manuals, including the administrative plan, and made training materials available for future reference, new employees did not receive sufficient training to ensure the Department complied with Program requirements over the waiting list. In addition, the Department did not properly train the DOH employees on the policies and procedures for maintaining and selecting applicants from the waiting list, which ultimately led to applicants being incorrectly selected from the waiting list. Specifically, DOH did not properly update the waiting list for new applicants and addressing unused vouchers from prior selections, which caused individuals to be incorrectly selected from the waiting list. Why do these problems matter? By not maintaining the waiting list supporting documentation, including interview documentation and applications, the Department cannot ensure that all tenants are eligible or qualified to participate in the Program. The Department must ensure it maintains accurate and complete tenant files to demonstrate compliance with federal requirements. Additionally, by not training employees properly on the Department?s policies and procedures surrounding the waiting list, applicants are at risk of being improperly removed from the waiting list and not given the opportunity to receive funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-066 The Department of Local Affairs (Department) should strengthen its internal controls to ensure it complies with waiting list requirements for the federal Section 8 Housing Choice Vouchers and Mainstream Vouchers programs. Specifically, this should include the Department developing and providing a training plan for its contractors that covers all of the programs? requirements on an ongoing basis. In addition, the Department should ensure its new employees are trained and able to properly run the waiting list in accordance with the Department?s policies and procedures, which includes ensuring the waiting list is properly updated for new applicants and addressing unused vouchers prior to making waiting list selections. Response Department of Local Affairs Agree Implementation Date: February 2023 The Department of Local Affairs (Department) agrees with the recommendation. The Department will strengthen its internal controls through the development of an onboarding program that will include different modules that new employees and/or contractors must work through to receive certification. These modules will include all relevant steps associated with the waiting list process.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Local Affairs (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-066 Section 8 Housing Choice Vouchers and Mainstream Vouchers Programs?Internal Controls over the Waiting List The Department annually receives advance payments from the federal government for the Housing Voucher Programs (Program) to provide tenant-based subsidies for rent paid by low-income households. A housing subsidy is paid to the landlord directly by the Department on behalf of the Program?s participants. During Fiscal Year 2021, the Department incurred approximately $62.9 million in federal costs for the Housing Voucher Programs. Federal regulation [24 CFR 982.54] requires the Department to have an administrative plan to establish policies for carrying out the Program in a manner consistent with the U.S. Department of Housing and Urban Development (HUD) requirements and local goals and objectives. HUD requires the Division of Housing (DOH), a section within the Department, to place all families that apply for assistance on a waiting list. DOH must select families from the waiting list and maintain clear records of all information required to verify that the family is selected from the waiting list according to HUD requirements and Department policies as stated in the Department?s administrative plan [24 CFR 982.204(b) and 982.207(e)]. The DOH maintains the waiting list in an electronic database within its Public Housing Agencies (PHA) Software, called Emphasys Elite. DOH has established preferences for order of selection off of the waiting list, and gives priority or first preference (point system) to serving families that meet various criteria, including someone experiencing homelessness, a person with a disability, households that include victims of domestic violence, etc. The second preference for selecting from the waiting list is based on when DOH placed the individual on the waiting list, by date and time. HUD may also award the Department funding for a specified category of families on the waiting list (targeted funding [24 CFR 982.204(e)]). DOH must use this funding only to assist families within the specified category allowed by the targeted funding. DOH administers the following types of targeted funding: Veterans Affairs Supporting Housing (VASH), Non-Elderly Disabled, Family Unification Program, and Family Self-Sufficiency. DOH delegates some of its voucher administration responsibilities, such as application reviews and interviews with applicants, to agencies that provide housing services to applicants and participants of the Program. These agencies, or contractors, include public housing authorities, community mental health centers, community centered boards or their contract service agencies, independent living centers, the Veterans Affairs Medical Center (VAMC), homeless service providers, and others. DOH will enter into a contract with these agencies that outline each party?s responsibilities. Contractors employ housing coordinators who assist applicants and participants to complete the necessary Program documentation and understand regulations to help them acquire and maintain units that conform to Program regulations. DOH provides each contractor with vouchers to give eligible applicants. When a contractor has available vouchers, it will ask the DOH to select and issue the next name(s) from its waiting list. DOH then uses its electronic database to select individuals from the waiting list. In order for an applicant to receive the voucher, the applicant must first attend an interview with the contractor. At the interview, the contractor will determine whether the applicant is eligible based on requiring the applicant to complete a full application and provide proof of income sources, social security number, citizenship status, release of information forms, federal or state-issued picture ID, and birth certificate, as well as the contractor?s verification of those items. If it is determined at the interview that the applicant is not eligible, the voucher will be terminated in the Emphasys Elite system and the voucher can be used for the next applicant in line on the waiting list. HUD regulations require that all families have an equal opportunity to apply for and receive housing assistance [24 CFR 982.53]. DOH must also have policies regarding various aspects of organizing and managing the waiting list of applicant families. This includes opening the list to new applicants, closing the list to new applicants, notifying the public of waiting list openings and closings, updating waiting list information, and removing families that are no longer interested in or eligible for assistance from the list. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place over, and complied with, federal requirements related to the Program?s waiting list during Fiscal Year 2021. We requested and obtained a report from the Department that showed all individuals that were added to the Program during Fiscal Year 2021. We selected and tested 40 of these individuals admitted to the Program during Fiscal Year 2021 to determine if they were selected from the waiting list in accordance with the Department?s applicant selection policies. We also requested and obtained another report from the Department that showed any individuals selected from the waiting list due to reaching the top position on the waiting list during Fiscal Year 2021, regardless of whether the individuals were added or not added to the Program. From this report, we selected and tested 40 different individuals to ascertain if they were admitted to the Program or provided the opportunity to be admitted to the Program in accordance with the Department?s applicant selection policies. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [24 CFR 5.410, 982.54(d), and 982.201 through 982.207] require the Department to have written policies in its administrative plan for selecting applicants from the waiting list and documentation must show that the Department follows these policies when selecting applicants for admission from the waiting list. Selection from the waiting list generally occurs when the Department notifies a family whose name reaches the top of the waiting list to come in to verify eligibility for admission to the Program. ? The Department?s administrative plan states that when a family wishes to receive assistance under the Program, the family must submit an application that provides DOH with the information needed to determine the family?s eligibility [HCV GB, pp. 4-11 ? 4-16, Notice PIH 2009-36]. ? Federal regulation [24 CFR 982.207] requires that DOH select applicant families from the waiting list first by preference and secondly by date and time of application. ? Federal regulations [24 CFR 982.554(a)] specify that when a family has been selected from the waiting list for an application interview, DOH and/or its contractor will notify the family and the family will be required to participate in the interview. The notice must inform the family of the date, time, and location of the scheduled application interview, who is required to attend the interview, and all documents that must be provided by the family at the interview. ? Federal regulations [24 CFR 982.201(f) and 982.204(c)] establish the rules for removing Program participants from the waiting list. If at any time an applicant family is on the waiting list and DOH determines that the family is not eligible for assistance, the family will be removed from the waiting list. Federal regulations further state the family may also remove itself from the waiting list at any time by requesting removal in writing. If a family is removed from the waiting list because DOH has determined the family is not eligible for assistance, a notice must be sent to the family?s address of record as well as to any alternate address provided on the initial application. The notice must state the reasons the family was removed from the waiting list and inform the family how to request an informal review regarding DOH?s decision. ? Uniform Guidance [2 CFR 200.303] requires that the Department, as a federal grant recipient, establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. What problems did the audit work identify? During our testing of 40 individuals admitted to the Program during Fiscal Year 2021, we found that the Department could not provide appropriate support for 5 of the 40 (12.5 percent) tenant files reviewed. Specifically: ? For five individuals, the Department could not provide documentation of the eligibility interview. ? For one of those five individuals, the Department also could not locate the individual?s application. During our testing of 40 individuals that the Department selected from the waiting list due to the individuals reaching the top of the waiting list during Fiscal Year 2021, we found certain issues with 8 of the 40 (20 percent) tenant files reviewed. Specifically: ? In five instances, individuals were selected from the waiting list out of turn; therefore, they were not at the top of the waiting list when selected, as required. ? In three instances, the Department could not provide the applications for the individuals. Why did these problems occur? The Department lacked internal controls over the Program?s waiting list. Specifically, the Department is not ensuring its contractors are maintaining supporting documentation within tenant files, including interview documentation and applications. Both the Department and its contractors experienced employee turnover in Fiscal Year 2021. Although the Department conducted monthly webinars for various training manuals, including the administrative plan, and made training materials available for future reference, new employees did not receive sufficient training to ensure the Department complied with Program requirements over the waiting list. In addition, the Department did not properly train the DOH employees on the policies and procedures for maintaining and selecting applicants from the waiting list, which ultimately led to applicants being incorrectly selected from the waiting list. Specifically, DOH did not properly update the waiting list for new applicants and addressing unused vouchers from prior selections, which caused individuals to be incorrectly selected from the waiting list. Why do these problems matter? By not maintaining the waiting list supporting documentation, including interview documentation and applications, the Department cannot ensure that all tenants are eligible or qualified to participate in the Program. The Department must ensure it maintains accurate and complete tenant files to demonstrate compliance with federal requirements. Additionally, by not training employees properly on the Department?s policies and procedures surrounding the waiting list, applicants are at risk of being improperly removed from the waiting list and not given the opportunity to receive funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-066 The Department of Local Affairs (Department) should strengthen its internal controls to ensure it complies with waiting list requirements for the federal Section 8 Housing Choice Vouchers and Mainstream Vouchers programs. Specifically, this should include the Department developing and providing a training plan for its contractors that covers all of the programs? requirements on an ongoing basis. In addition, the Department should ensure its new employees are trained and able to properly run the waiting list in accordance with the Department?s policies and procedures, which includes ensuring the waiting list is properly updated for new applicants and addressing unused vouchers prior to making waiting list selections. Response Department of Local Affairs Agree Implementation Date: February 2023 The Department of Local Affairs (Department) agrees with the recommendation. The Department will strengthen its internal controls through the development of an onboarding program that will include different modules that new employees and/or contractors must work through to receive certification. These modules will include all relevant steps associated with the waiting list process.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-071 Federal Funding Accountability and Transparency Act The Department is responsible for administering two programs as part of the Employment Service Cluster: Employment Service/Wagner Peyser Funded Activities (Wagner) [ALN 17.207], and Jobs for Veterans State Grant (JSVG) [ALN 17.801]. The main overall purpose of these programs is to improve the functioning of the nation's labor markets by bringing together individuals who are seeking employment and employers who are seeking workers. The Wagner program provides a variety of services to job seekers, including career services and job search assistances; in addition, employers can access the program to post job orders and obtain qualified applicants. The JSVG provides federal funding through a formula grant to State Workforce Agencies (SWAs), including the Department, to hire dedicated staff to provide individualized career and training-related service to veterans and eligible individuals with significant barriers to employment, and to assist employers in filling their workforce needs with job-seeking veterans. The Department administers the programs and also passes Employment Service Cluster funds through to Colorado counties so they can help provide these services to individuals. The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for both programs within the Employment Service Cluster. The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In accordance with the Transparency Act, the Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? In Fiscal Year 2022, the Department made 11 subawards to 10 Colorado counties (subrecipients) for the Employment Service Cluster, $11.2 million in subawards to 10 counties for Wagner, and $45,116 in subawards to one county for JVSG, totaling $11.3 million. The Department is required to submit FFATA information through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Employment Service Cluster programs during Fiscal Year 2022. As part of our audit work, we requested the Department?s policies and procedures over FFATA reporting, the FFATA reports submitted by the Department in Fiscal Year 2022, and a list of all subawards made by the Department during Fiscal Year 2022. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170.330.l(a)], the Department is required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. What problem did the audit work identify? Based on our audit work, we determined that the Department did not comply with FFATA reporting requirements for the Employment Cluster and did not report any subawards in FSRS for Fiscal Year 2022. Specifically, we determined that the Department did not report $11.21 million in subawards to 10 subrecipients (the counties) for Wagner, and $45,116 in subawards to one county for JVSG. The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did this problem occur? The Department was not aware of the FFATA reporting requirement because it did not review the federal grant agreements to determine that the requirement was applicable for the program. Why does this problem matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, it fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-071 The Department of Labor and Employment should implement appropriate internal controls and related processes, such as detailed reviews of federal grant agreements, over the Employment Service Cluster to ensure that it is aware of, and in compliance with all federal reporting requirements, including requirements under the Federal Funding Accountability and Transparency Act of 2006. Response Department of Labor and Employment Agree Implementation Date: February 2023 By the implementation date, the Department of Labor and Employment (CDLE) will complete a review of grant agreements for reporting requirements, including the Federal Funding Accountability and Transparency Act of 2006. By the implementation date, the CDLE will develop and implement appropriate controls and processes to come into compliance with the reporting requirements and submit FFATA reports for the 10 entities identified in the audit.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-071 Federal Funding Accountability and Transparency Act The Department is responsible for administering two programs as part of the Employment Service Cluster: Employment Service/Wagner Peyser Funded Activities (Wagner) [ALN 17.207], and Jobs for Veterans State Grant (JSVG) [ALN 17.801]. The main overall purpose of these programs is to improve the functioning of the nation's labor markets by bringing together individuals who are seeking employment and employers who are seeking workers. The Wagner program provides a variety of services to job seekers, including career services and job search assistances; in addition, employers can access the program to post job orders and obtain qualified applicants. The JSVG provides federal funding through a formula grant to State Workforce Agencies (SWAs), including the Department, to hire dedicated staff to provide individualized career and training-related service to veterans and eligible individuals with significant barriers to employment, and to assist employers in filling their workforce needs with job-seeking veterans. The Department administers the programs and also passes Employment Service Cluster funds through to Colorado counties so they can help provide these services to individuals. The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for both programs within the Employment Service Cluster. The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In accordance with the Transparency Act, the Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? In Fiscal Year 2022, the Department made 11 subawards to 10 Colorado counties (subrecipients) for the Employment Service Cluster, $11.2 million in subawards to 10 counties for Wagner, and $45,116 in subawards to one county for JVSG, totaling $11.3 million. The Department is required to submit FFATA information through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Employment Service Cluster programs during Fiscal Year 2022. As part of our audit work, we requested the Department?s policies and procedures over FFATA reporting, the FFATA reports submitted by the Department in Fiscal Year 2022, and a list of all subawards made by the Department during Fiscal Year 2022. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170.330.l(a)], the Department is required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. What problem did the audit work identify? Based on our audit work, we determined that the Department did not comply with FFATA reporting requirements for the Employment Cluster and did not report any subawards in FSRS for Fiscal Year 2022. Specifically, we determined that the Department did not report $11.21 million in subawards to 10 subrecipients (the counties) for Wagner, and $45,116 in subawards to one county for JVSG. The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did this problem occur? The Department was not aware of the FFATA reporting requirement because it did not review the federal grant agreements to determine that the requirement was applicable for the program. Why does this problem matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, it fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-071 The Department of Labor and Employment should implement appropriate internal controls and related processes, such as detailed reviews of federal grant agreements, over the Employment Service Cluster to ensure that it is aware of, and in compliance with all federal reporting requirements, including requirements under the Federal Funding Accountability and Transparency Act of 2006. Response Department of Labor and Employment Agree Implementation Date: February 2023 By the implementation date, the Department of Labor and Employment (CDLE) will complete a review of grant agreements for reporting requirements, including the Federal Funding Accountability and Transparency Act of 2006. By the implementation date, the CDLE will develop and implement appropriate controls and processes to come into compliance with the reporting requirements and submit FFATA reports for the 10 entities identified in the audit.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-071 Federal Funding Accountability and Transparency Act The Department is responsible for administering two programs as part of the Employment Service Cluster: Employment Service/Wagner Peyser Funded Activities (Wagner) [ALN 17.207], and Jobs for Veterans State Grant (JSVG) [ALN 17.801]. The main overall purpose of these programs is to improve the functioning of the nation's labor markets by bringing together individuals who are seeking employment and employers who are seeking workers. The Wagner program provides a variety of services to job seekers, including career services and job search assistances; in addition, employers can access the program to post job orders and obtain qualified applicants. The JSVG provides federal funding through a formula grant to State Workforce Agencies (SWAs), including the Department, to hire dedicated staff to provide individualized career and training-related service to veterans and eligible individuals with significant barriers to employment, and to assist employers in filling their workforce needs with job-seeking veterans. The Department administers the programs and also passes Employment Service Cluster funds through to Colorado counties so they can help provide these services to individuals. The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for both programs within the Employment Service Cluster. The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In accordance with the Transparency Act, the Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? In Fiscal Year 2022, the Department made 11 subawards to 10 Colorado counties (subrecipients) for the Employment Service Cluster, $11.2 million in subawards to 10 counties for Wagner, and $45,116 in subawards to one county for JVSG, totaling $11.3 million. The Department is required to submit FFATA information through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Employment Service Cluster programs during Fiscal Year 2022. As part of our audit work, we requested the Department?s policies and procedures over FFATA reporting, the FFATA reports submitted by the Department in Fiscal Year 2022, and a list of all subawards made by the Department during Fiscal Year 2022. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170.330.l(a)], the Department is required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. What problem did the audit work identify? Based on our audit work, we determined that the Department did not comply with FFATA reporting requirements for the Employment Cluster and did not report any subawards in FSRS for Fiscal Year 2022. Specifically, we determined that the Department did not report $11.21 million in subawards to 10 subrecipients (the counties) for Wagner, and $45,116 in subawards to one county for JVSG. The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did this problem occur? The Department was not aware of the FFATA reporting requirement because it did not review the federal grant agreements to determine that the requirement was applicable for the program. Why does this problem matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, it fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-071 The Department of Labor and Employment should implement appropriate internal controls and related processes, such as detailed reviews of federal grant agreements, over the Employment Service Cluster to ensure that it is aware of, and in compliance with all federal reporting requirements, including requirements under the Federal Funding Accountability and Transparency Act of 2006. Response Department of Labor and Employment Agree Implementation Date: February 2023 By the implementation date, the Department of Labor and Employment (CDLE) will complete a review of grant agreements for reporting requirements, including the Federal Funding Accountability and Transparency Act of 2006. By the implementation date, the CDLE will develop and implement appropriate controls and processes to come into compliance with the reporting requirements and submit FFATA reports for the 10 entities identified in the audit.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-071 Federal Funding Accountability and Transparency Act The Department is responsible for administering two programs as part of the Employment Service Cluster: Employment Service/Wagner Peyser Funded Activities (Wagner) [ALN 17.207], and Jobs for Veterans State Grant (JSVG) [ALN 17.801]. The main overall purpose of these programs is to improve the functioning of the nation's labor markets by bringing together individuals who are seeking employment and employers who are seeking workers. The Wagner program provides a variety of services to job seekers, including career services and job search assistances; in addition, employers can access the program to post job orders and obtain qualified applicants. The JSVG provides federal funding through a formula grant to State Workforce Agencies (SWAs), including the Department, to hire dedicated staff to provide individualized career and training-related service to veterans and eligible individuals with significant barriers to employment, and to assist employers in filling their workforce needs with job-seeking veterans. The Department administers the programs and also passes Employment Service Cluster funds through to Colorado counties so they can help provide these services to individuals. The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for both programs within the Employment Service Cluster. The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In accordance with the Transparency Act, the Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? In Fiscal Year 2022, the Department made 11 subawards to 10 Colorado counties (subrecipients) for the Employment Service Cluster, $11.2 million in subawards to 10 counties for Wagner, and $45,116 in subawards to one county for JVSG, totaling $11.3 million. The Department is required to submit FFATA information through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Employment Service Cluster programs during Fiscal Year 2022. As part of our audit work, we requested the Department?s policies and procedures over FFATA reporting, the FFATA reports submitted by the Department in Fiscal Year 2022, and a list of all subawards made by the Department during Fiscal Year 2022. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170.330.l(a)], the Department is required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. What problem did the audit work identify? Based on our audit work, we determined that the Department did not comply with FFATA reporting requirements for the Employment Cluster and did not report any subawards in FSRS for Fiscal Year 2022. Specifically, we determined that the Department did not report $11.21 million in subawards to 10 subrecipients (the counties) for Wagner, and $45,116 in subawards to one county for JVSG. The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did this problem occur? The Department was not aware of the FFATA reporting requirement because it did not review the federal grant agreements to determine that the requirement was applicable for the program. Why does this problem matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, it fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-071 The Department of Labor and Employment should implement appropriate internal controls and related processes, such as detailed reviews of federal grant agreements, over the Employment Service Cluster to ensure that it is aware of, and in compliance with all federal reporting requirements, including requirements under the Federal Funding Accountability and Transparency Act of 2006. Response Department of Labor and Employment Agree Implementation Date: February 2023 By the implementation date, the Department of Labor and Employment (CDLE) will complete a review of grant agreements for reporting requirements, including the Federal Funding Accountability and Transparency Act of 2006. By the implementation date, the CDLE will develop and implement appropriate controls and processes to come into compliance with the reporting requirements and submit FFATA reports for the 10 entities identified in the audit.
Finding 2022-070 Unemployment Insurance Program Integrity Fraud Holds The Department?s UI Division is responsible for the administration and monitoring of Colorado?s UI programs, including the collection of unemployment premiums from employers, the payment of UI benefits to claimants, and the performance of audits and investigations of premiums and benefits to ensure they are properly paid. Employer-paid premiums are the primary source of funding for UI benefits. When an individual applies for UI benefits, they are called a claimant, and the application is called a claim. Each claimant creates an account in MyUI+, the Department?s unemployment benefit system, in order to apply for unemployment benefits. The Department reviews, or adjudicates, claims to ensure that claimants are eligible and entitled to receive UI benefits. As part of the adjudication process, wage checks for claimants are compared to employer reported wages submitted to the Department on a quarterly basis and the Department sends a notification to all employers that the claimant worked for within the last 18 months to determine the validity and reason for the claimant leaving the workplace. In addition, Department staff indicate that, on a weekly basis, they perform reviews to identify potential issues with a claimant?s ability and availability to work, and to determine whether the claimant is accurately reporting earned income. If information provided by an interested party, such as a former employer, relating to the reason for leaving the workforce does not agree to the claimant information, the Department follows up on the information and issues eligibility determinations, as appropriate. In Fiscal Year 2022, the Department paid $1.1 billion in UI benefits. The Department has processes and systems to detect and prevent identity theft related to UI benefits. For example, when the Department identifies a claim with characteristics that are indicators of fraud, it places a fraud hold (also known as a program integrity hold) on the claimant?s UI claim, which holds the claim for investigation and which prevents any future benefit payments to the claimant until the fraud hold is removed and eligibility is determined. For each fraud hold, the Department has to determine if the identity of the individual filing the claim matches the personally identifiable information used on the claim. Once that is verified, the Department then must verify that the individual did not make any false statements in order to establish program eligibility. The steps that the Department takes to resolve a fraud hold differ depending on the characteristics of the claim that caused the Department to question its legitimacy. If Department staff determine that the fraud hold was not legitimate, the Department clears the hold in MyUI+ and then proceeds with determining if the individual is eligible to receive UI benefits. The Department uses an automated system, called ID.me, as part of its identity verification process. ID.me is a federally-certified identity provider that assists the Department in verifying claimants? identity. In some instances, MyUI+ will clear the fraud hold if the claimant passes ID.me and the claim does not need further investigation. In other cases, the Department performs an investigation to determine if the fraud hold is legitimate, or if the hold was placed in error. According to the information in MyUI+, the Department cleared 54,047 fraud holds during Fiscal Year 2022 ? 44,936 were cleared through the ID.me process, and 9,111 were cleared by the Department. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls in place over fraud holds during Fiscal Year 2022, including whether only appropriate, authorized individuals cleared the fraud hold from MyUI+, and if the Department had adequate segregation of duties between staff investigating a fraud hold, and staff releasing the hold in MyUI+. As part of our audit work, we requested the Department?s policies and procedures for their investigation process and documentation used to support the Department?s investigations that resulted in clearing a fraud hold, and inquired how the Department determined who is authorized to release fraud holds from MyUI+. The Department?s documentation included case reports for the investigations and log notes from Salesforce, the Department?s software that is primarily used as a workflow management tool and documentation repository for UI claims requiring an investigation. We selected a sample of 60 of the 9,111 fraud holds that were cleared by the Department during Fiscal Year 2022 to determine if the Department performed an investigation prior to releasing the fraud hold in MyUI+. In addition, as part of our testing of the sample, we determined that 20 different Department staff cleared the 60 fraud holds in MyUI+; we performed testing to determine if those staff were authorized to clear the holds in MyUI+. How were the results of the audit work measured? We measured the results of our audit against the following: Section 7511, Part V, of the Employment Security Manual (ESM) requires state UI laws to include provisions for such methods of administration as are, within reason, calculated (1) to detect benefits paid through error by the state UI agency or through willful misrepresentation or error by the claimant or others, (2) to deter claimants from obtaining benefits through willful misrepresentation, and (3) to recover benefits overpaid under certain circumstances. These required functions are accomplished through designated staff responsible for promoting and maintaining the integrity of the UI program through prevention, detection, investigations, establishment, and recovery of overpayments. Designated staff also prepare cases for prosecution. The Department?s UI Investigation Procedures state that if Department staff determine that a fraud hold that they are investigating can be released in MyUI+, Department staff should write an event log note in Salesforce. Information security is the practice of protecting information by mitigating information risk. ISO 27001 Standard for Information Security Management Systems is the international standard for information security, and its best practice approach helps organizations manage their information security by addressing people, processes, and technology. User-access management has the following objectives: ? Ensure authorized user access ? Prevent unauthorized access to information systems Expanding on the objectives from ISO 27001, a broad set of business-level objectives for user-access management can be defined as follows: ? Allow only authorized users to have access to information and resources ? Restrict access to the least privileges required by these authorized users to fulfill their business role The federal Social Security Act [Section 303(a)(1), SSA], contains a merit-based system requirement for the UI program. Specifically, this section requires that, as a condition of receiving federal UI administrative grants, states must have laws that include ?provision for such methods of administration? that includes a merit system. A merit system is defined as the process of promoting and hiring government employees based on their ability to perform a job, rather than on their political connections. As part of this requirement, any position which involves the determination of whether or not a UI claimant will be paid, or which involves determining an employer's liability for contributions, must be ?merit staffed.? According to federal regulations [5 CFR 900.603, Standards For a Merit System of Personnel Administration], ?The quality of public service can be improved by the development of systems of personnel administration consistent with such merit principles as - (a) Recruiting, selecting, and advancing employees on the basis of their relative ability, knowledge, and skills, including open consideration of qualified applicants for initial appointment. (b) Providing equitable and adequate compensation. (c) Training employees, as needed, to assure high quality performance. (d) Retaining employees on the basis of the adequacy of their performance, correcting inadequate performance, and separating employees whose inadequate performance cannot be corrected?? The U. S. Department of Labor Unemployment Insurance Program Letter (UIPL) No. 12-01, states that only those employees considered as merit-staff can determine whether to pay or deny payment to a claim. Additionally, UIPL No. 12-01 Change 2 states that, ?Determinations of overpayments or fraud must be made by merit-staffed employees.? The Department?s SPP 1053 Code of Conduct, Ethics and Values Policy, Attachment A: Unemployment Insurance Ethics Policy states that employees are not permitted to do the following: ? Investigate or attempt to investigate suspected fraud unless it is within their assigned duties. ? Backdate a claim, transfer claim status retroactively (UI to UCFE, UCX to TRA, etc.), alter information provided by a claimant or employer, or change or defer a UI document due date without valid documentation or approval of the appropriate branch chief or UI Director. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 10.01 of the Green Book, the Department should design control activities to achieve objectives and respond to risks. Segregation of duties contribute to the design, implementation, and operating effectiveness of control activities. Under Paragraph 10.03 of the Green Book, the Department should divide or segregate key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets so that no one individual controls all key aspects of a transaction or event. What problems did the audit work identify? The Department did not comply with federal regulations or its own policies and procedures related to the clearing of fraud holds during Fiscal Year 2022. Specifically, we identified issues with 32 of the 60 (53 percent) fraud holds we tested, as follows: ? The Department cleared 12 of the 60 fraud holds tested (20 percent) without performing an investigation or providing evidence of the reasoning used to clear the hold. Specifically, when we asked for investigation documentation for the 12 fraud holds, the Department indicated these were cleared without an investigation, and there were no related log notes in Salesforce, as required. ? For 20 of the 48 cases in our sample (42 percent) for which the Department did conduct an investigation, it did not segregate the duty of investigating the fraud hold and clearing the fraud hold from MyUI+. Specifically, in these cases, only one person conducted the investigation, concluded on the investigation, and cleared the fraud hold in MyUI+. ? One of the 20 Department staff who cleared a portion (5 percent) of the 60 fraud holds we sampled was not authorized to clear fraud holds from MyUI+ because the individual was not considered to be merit-staffed. Further, this unauthorized individual cleared 11 of 12 fraud holds we identified above that did not have an investigation, as required. We also found that this individual cleared an additional 55 fraud holds outside of our sample during Fiscal Year 2022. Why did these problems occur? The Department did not have sufficient internal controls in place, including appropriate policies and procedures, to ensure it enforced compliance with federal and Department-level requirements regarding the clearing of UI fraud holds during Fiscal Year 2022, as follows: ? The Department did not ensure that all fraud hold claims cleared in MyUI+ had a related log note in Salesforce that explained the rationale for clearing the hold, or that there was an investigation performed over the fraud hold prior to it being cleared in MyUI+. Specifically, in 11 of the 12 instances, the Department?s controls failed to prevent non-merit staff from using their MyUI+ access inappropriately, and in the other instance, Department controls failed to ensure the UI claim was reviewed by the UI section that reviews fraud holds rather than the UI section that resolves non-fraud UI claims. The Department provided full, rather than read-only access to the non-merit, Executive Director?s Office?s staff member noted in our finding. UI management indicated that they gave the individual full access to MyUI+ during the height of the pandemic with the assumption that the individual would use such access in a read-only manner solely to review claim information for inquiries coming through the Executive Director's Office. According to UI Division leadership, after they identified that the individual had full access during Fiscal Year 2022, they changed the individual?s access to read-only in January 2022. ? The Department lacked policies regarding management override of controls related to the clearing of fraud holds, in order to prevent or appropriately manage those responsibilities. UI staff indicated that in some cases, the non-merit, Executive Director?s Office?s staff member noted in our finding would reach out to other staff within the UI Division to help escalate the MyUI+ fraud hold clearing process. In some of these instances, because of the position of the individual within the Executive Director?s Office, UI staff circumvented the normal escalation process and aided the individual with clearing the fraud hold. ? The Department?s current policies and procedures do not require segregation of duties between those staff who investigate a fraud hold, and those staff who remove the fraud hold in MyUI+. Why do these problems matter? Improper segregation of duties, including the separation of responsibilities for both investigating and clearing potential fraud holds, leaves the UI program vulnerable to fraudulent activity. Specifically, fraud risk increases if there is no segregation between the investigation and the actual clearing of the fraud hold from MyUI+ and, as a result, the same staff could inappropriately clear holds and initiate UI payments. Further, a lack of strong checks and balances within the UI program could erode the integrity of the program at large, ultimately negatively impacting public trust. Strong internal controls related to UI fraud are especially important given the large amount of funds that are paid by the Department for UI claims each year and the significant amount of fraudulent claims that are paid by the Department. For example, the Department recorded an estimated receivable for amounts due back to the Department of $45 million for fraudulently-obtained UI claims at June 30, 2022. Without strengthening its controls over UI claims and fraud holds, there is a risk that a significant amount of UI funds could continue to be paid out each year for fraudulently obtained UI claims. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-070 The Department of Labor and Employment (Department) should strengthen its internal controls over Unemployment Insurance (UI) program integrity holds by: A. Ensuring all fraud holds are properly investigated and documented with a log note in Salesforce that explains the rationale for releasing the claim, prior to releasing the claim in MyUI+. B. Adequately reviewing claims for a fraud indicator to ensure the hold is sent to the appropriate UI section for resolution. C. Ensuring Department staff are given the appropriate access in MyUI+ to prevent individuals from clearing fraud holds inappropriately and periodically monitoring access to ensure access levels remain appropriate. D. Instituting policies and procedures over management override of internal controls related to UI claims and providing staff training on those policies and procedures. This should include ensuring that UI staff are aware of the importance of following all procedures related to fraud holds and that any inappropriate requests or pressures are communicated through the appropriate channels. E. Updating its current policies and procedures to require segregation of duties between the investigation of a fraud hold and the release of a fraud hold in MyUI+ to ensure more than one person is involved in the fraud hold process from beginning to end. Response Department of Labor and Employment A. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department is moving all adjudication and investigation of program integrity holds into the MyUI+ system, so there will be one system of record. The Department will ensure that all program integrity holds have all documentation through adjudication and investigation, including log notes. The Department anticipates this to be fully implemented by July 2024. B. Agree Implementation Date: July 2024 The Department agrees with this finding. The department has modified processes to ensure all holds are only routed to the appropriate team to be adjudicated. In addition the Department is working to have all claims identified as fraud delivered in a workflow process in MyUI+ rather than the various processes in place now. Further the department is working with our MyUI+ system experts to implement new technology to strengthen and streamline the fraud indicator escalation process and systems within MyUI+. In working with our MyUI+ system experts, the Department anticipates this to be fully implemented by July 2024. C. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department will continue strengthening security in this area and internal procedures to periodically monitor the potential for internal fraud activities. Additionally, the Department will periodically monitor and review My UI+ access levels for appropriateness. In consultation with our MyUI+ systems experts, the Department anticipates this finding to be fully implemented by July 2024. D. Agree Implementation Date: July 2023 The Department agrees with this finding. The Department will reinforce and strengthen the ethics policies in yearly communication to staff and tighten escalation policies to ensure pressures and inappropriate requests are handled in accordance with guidelines. The Department anticipates this will be completed by July 2023. E. Disagree When a PI hold is identified as being highly suspicious for criminally fraudulent activity, it is routed to a specialized unit for review, thereby leaving the standard adjudication process. This is handled by passing the review to the UI Investigations and/or Criminal Enforcement (ICE) unit. The investigator performs their investigation and if no actual fraudulent activity is found they will release the hold. The UI Division also performs several quality control reviews of claims and claim decisions via Benefits Payment Control (BPC), Benefits Accuracy Measurements (BAM), Benefits Timeliness and Quality (BTQ), and internal Quality Assurance (QA) reviews. Claims are reviewed for such criteria as adequate support documentation, benefit payment accuracy, timely processing, and correct claim decision determination on all program integrity holds. The Green Book states in Section 10.14, ? If segregation of duties is not practical within an operational process because of limited personnel or other factors, management designs alternative control activities to address the risk of fraud, waste, or abuse in the operational process.? CDLE believes the reviews represent adequate and sufficient compensating controls for the need for segregation of duties on fraud holds. Changing the current process would hinder our ability to deliver UI benefit services timely to our customers and would put us in jeopardy of fulfilling our federal and state payment timeliness requirements. Auditor?s Addendum Segregating the duties between investigating and releasing a fraud hold in MyUI+ reduces the risk of an employee inappropriately and potentially fraudulently clearing the hold without conducting a proper investigation. The issues identified in our audit indicate that the Department?s current compensating controls did not identify that a current employee released fraud holds without a proper investigation. The Department should consider updating its procedures and processes to segregate these duties to reduce the risk of this occurring in the future.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Labor and Employment (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-063 Unemployment Insurance?Federal Reporting The Department?s Accounting Section is responsible for completing the following two federal financial reports for the UI program and ensuring the reports are accurate, complete, and submitted to the federal government by the required deadline. The Accounting Section uses bank statements and reports from the Colorado Operations Resource Engine (CORE), the State?s accounting system, to create a workbook with the information and uses that workbook to complete the reports. ? ETA 9130, Financial Status Report, UI Programs. This is a quarterly report used to report the Department?s UI program and administrative expenditures. Financial data is required to be reported cumulatively from grant inception through the end of the reporting period. ? ETA 2112, UI Financial Transaction Summary. This is a monthly report that is a summary of the UI program?s transactions, which account for all funds received in, passed through, or paid out of the state employment fund during the applicable month. The UI division is responsible for completing the following federal report for the UI program and ensuring the report is accurate, complete, and submitted to the federal government by the required timeline. The UI division uses data pulled from MyUI+, the UI claims and benefits system, to generate two reports to fill out the ETA 191 report, described as follows. ? ETA 191, Financial Status of UCFE/UCX. This is a quarterly report on the State?s unemployment compensation expenditures paid by the Department to former federal employees (UCFE) and ex-service members (UCX) who have filed with the Department for unemployment benefits, and total amount of benefits paid to claimants of specific federal agencies. The federal government uses this report to request reimbursement of UCFE and UCX benefit payments from federal and military agencies. The federal government reimburses the Department for these benefit payments. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls in place over and complied with federal reporting requirements for the UI program during Fiscal Year 2021. As part of our audit work, we gained an understanding of the Department?s procedures that were in place to prepare the federal reports. In addition, we reviewed four ETA 2112 reports and two ETA 191 reports submitted to the federal government for Fiscal Year 2021 to ensure they were accurate, complete, and submitted by the required deadline. We also requested the Department?s policies and procedures for completing the reports, as well as the Department?s supporting documentation for the reports. How were the results of the audit work measured? We measured the results of our audit against the following: In accordance with Uniform Guidance [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and terms and conditions of the federal award. In accordance with the OSC?s policy Internal Control System, state agencies shall use the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, as its framework for its system of internal control. Green Book, Paragraph OV4.08, Documentation Requirements, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. Green Book Paragraph 12.02, Documentation of Responsibilities through Policies, specifically indicates that management should document in their policies the internal control responsibilities of the organization. The U.S. Department of Labor Unemployment Insurance Handbook 401 (Handbook) states that the ETA 2112 is due the first day of the second month following the month that the data in the report represents. In addition, the Handbook states that the ETA 191 is due by the 25th of the month following the close of the quarter. What problems did the audit work identify? We identified issues with 2 of the 4 (50 percent) ETA 2112 reports we tested, and 1 of the 2 (50 percent) ETA 191 reports we tested. Specifically, we identified the following: ETA 2112. We identified four issues with the September 2020 report, as follows: ? The Department could not provide support for $50.6 million reported as federal tax withholding on the report. ? The Department could not provide documentation related to the FPUC deposits and disbursements reported on the report. Specifically, the Department reported FPUC deposits as $27.0 million and FPUC Disbursements as $28.4 million. Because the Department could not provide documentation, we could not determine the correct amounts that should have been reported. ? The Department overstated the deposit amount for the intra-account transfer line by $240.2 million. Specifically, the Department reported that the amount deposited during the month for the intra-account transfers was $378.1 million, but the supporting documentation we reviewed showed the deposits totaled $137.9 million. ? The Department submitted the report on November 5, 2020, or 3 days after the deadline of November 2, 2020. In the February 2021 report, we identified that the Department understated reimbursement benefits from nonprofits by $540,000, reimbursements from local governments by $1.1 million; and reimbursements from state government by $204,700. Finally, based on discussion with the Department, it does not protect the formulas in its ETA 2112 workbooks it uses to prepare the reports in order to prevent intentional or inadvertent changes to calculations. ETA 191. We identified two issues with the ETA 191 report for the quarter ended March 2021 report. First, the Department failed to appropriately correct a federal Department of Labor-identified error from the previous quarter for expenditures for military agencies. Specifically, the Department incorrectly adjusted the $1,089,761, by $2,100, which was an under correction of the error of $2,120. Second, the Department submitted the report on May 14, 2021, nearly a month after the April 16, 2021, deadline. Why did these problems occur? The Department did not have sufficient internal controls in place to ensure that the federal reports and associated documentation were accurate and complete during Fiscal Year 2021. Specifically, the Department does not have formal, documented policies for completing the reports or a requirement that the workbooks are protected. Although the Department has a procedure document that provides instructions on how to complete the federal reports, the procedures do not include a requirement for a supervisory review of these reports prior to submitting them to the federal government. Some of the errors we identified were due to the wrong information being input into the reports, which a review could have caught and corrected prior to the Department submitting the report to the federal government. Why do these problems matter? Strong internal controls over federal reporting, including formal, documented policies, protection of formulas in the workbooks used to prepare the reports to prevent intentional or inadvertent changes to calculations, and adequate supervisory review, are necessary to ensure that the Department is in compliance with federal reporting requirements. Errors in the federal reports could cause the users of these reports to rely on incorrect information. This could have a negative impact on the Department?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-063 The Department of Labor and Employment should strengthen its internal controls over federal reporting by developing, formally documenting, and implementing policies for completing its federal reports for the Unemployment Insurance program. These policies should require the workbooks used to prepare the reports to be protected and that a supervisory review occurs prior to submitting the reports to the federal government. Response Department of Labor and Employment Agree Implementation Date: March 2023 CDLE will continue to develop, formally document, and implement policies for completing its federal reports for the Unemployment Insurance program. These policies will require the workbooks used to prepare the reports to be protected, for the data to be substantiated, and will require supervisory review on a monthly basis prior to submitting the reports to the federal government.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-070 Unemployment Insurance Program Integrity Fraud Holds The Department?s UI Division is responsible for the administration and monitoring of Colorado?s UI programs, including the collection of unemployment premiums from employers, the payment of UI benefits to claimants, and the performance of audits and investigations of premiums and benefits to ensure they are properly paid. Employer-paid premiums are the primary source of funding for UI benefits. When an individual applies for UI benefits, they are called a claimant, and the application is called a claim. Each claimant creates an account in MyUI+, the Department?s unemployment benefit system, in order to apply for unemployment benefits. The Department reviews, or adjudicates, claims to ensure that claimants are eligible and entitled to receive UI benefits. As part of the adjudication process, wage checks for claimants are compared to employer reported wages submitted to the Department on a quarterly basis and the Department sends a notification to all employers that the claimant worked for within the last 18 months to determine the validity and reason for the claimant leaving the workplace. In addition, Department staff indicate that, on a weekly basis, they perform reviews to identify potential issues with a claimant?s ability and availability to work, and to determine whether the claimant is accurately reporting earned income. If information provided by an interested party, such as a former employer, relating to the reason for leaving the workforce does not agree to the claimant information, the Department follows up on the information and issues eligibility determinations, as appropriate. In Fiscal Year 2022, the Department paid $1.1 billion in UI benefits. The Department has processes and systems to detect and prevent identity theft related to UI benefits. For example, when the Department identifies a claim with characteristics that are indicators of fraud, it places a fraud hold (also known as a program integrity hold) on the claimant?s UI claim, which holds the claim for investigation and which prevents any future benefit payments to the claimant until the fraud hold is removed and eligibility is determined. For each fraud hold, the Department has to determine if the identity of the individual filing the claim matches the personally identifiable information used on the claim. Once that is verified, the Department then must verify that the individual did not make any false statements in order to establish program eligibility. The steps that the Department takes to resolve a fraud hold differ depending on the characteristics of the claim that caused the Department to question its legitimacy. If Department staff determine that the fraud hold was not legitimate, the Department clears the hold in MyUI+ and then proceeds with determining if the individual is eligible to receive UI benefits. The Department uses an automated system, called ID.me, as part of its identity verification process. ID.me is a federally-certified identity provider that assists the Department in verifying claimants? identity. In some instances, MyUI+ will clear the fraud hold if the claimant passes ID.me and the claim does not need further investigation. In other cases, the Department performs an investigation to determine if the fraud hold is legitimate, or if the hold was placed in error. According to the information in MyUI+, the Department cleared 54,047 fraud holds during Fiscal Year 2022 ? 44,936 were cleared through the ID.me process, and 9,111 were cleared by the Department. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls in place over fraud holds during Fiscal Year 2022, including whether only appropriate, authorized individuals cleared the fraud hold from MyUI+, and if the Department had adequate segregation of duties between staff investigating a fraud hold, and staff releasing the hold in MyUI+. As part of our audit work, we requested the Department?s policies and procedures for their investigation process and documentation used to support the Department?s investigations that resulted in clearing a fraud hold, and inquired how the Department determined who is authorized to release fraud holds from MyUI+. The Department?s documentation included case reports for the investigations and log notes from Salesforce, the Department?s software that is primarily used as a workflow management tool and documentation repository for UI claims requiring an investigation. We selected a sample of 60 of the 9,111 fraud holds that were cleared by the Department during Fiscal Year 2022 to determine if the Department performed an investigation prior to releasing the fraud hold in MyUI+. In addition, as part of our testing of the sample, we determined that 20 different Department staff cleared the 60 fraud holds in MyUI+; we performed testing to determine if those staff were authorized to clear the holds in MyUI+. How were the results of the audit work measured? We measured the results of our audit against the following: Section 7511, Part V, of the Employment Security Manual (ESM) requires state UI laws to include provisions for such methods of administration as are, within reason, calculated (1) to detect benefits paid through error by the state UI agency or through willful misrepresentation or error by the claimant or others, (2) to deter claimants from obtaining benefits through willful misrepresentation, and (3) to recover benefits overpaid under certain circumstances. These required functions are accomplished through designated staff responsible for promoting and maintaining the integrity of the UI program through prevention, detection, investigations, establishment, and recovery of overpayments. Designated staff also prepare cases for prosecution. The Department?s UI Investigation Procedures state that if Department staff determine that a fraud hold that they are investigating can be released in MyUI+, Department staff should write an event log note in Salesforce. Information security is the practice of protecting information by mitigating information risk. ISO 27001 Standard for Information Security Management Systems is the international standard for information security, and its best practice approach helps organizations manage their information security by addressing people, processes, and technology. User-access management has the following objectives: ? Ensure authorized user access ? Prevent unauthorized access to information systems Expanding on the objectives from ISO 27001, a broad set of business-level objectives for user-access management can be defined as follows: ? Allow only authorized users to have access to information and resources ? Restrict access to the least privileges required by these authorized users to fulfill their business role The federal Social Security Act [Section 303(a)(1), SSA], contains a merit-based system requirement for the UI program. Specifically, this section requires that, as a condition of receiving federal UI administrative grants, states must have laws that include ?provision for such methods of administration? that includes a merit system. A merit system is defined as the process of promoting and hiring government employees based on their ability to perform a job, rather than on their political connections. As part of this requirement, any position which involves the determination of whether or not a UI claimant will be paid, or which involves determining an employer's liability for contributions, must be ?merit staffed.? According to federal regulations [5 CFR 900.603, Standards For a Merit System of Personnel Administration], ?The quality of public service can be improved by the development of systems of personnel administration consistent with such merit principles as - (a) Recruiting, selecting, and advancing employees on the basis of their relative ability, knowledge, and skills, including open consideration of qualified applicants for initial appointment. (b) Providing equitable and adequate compensation. (c) Training employees, as needed, to assure high quality performance. (d) Retaining employees on the basis of the adequacy of their performance, correcting inadequate performance, and separating employees whose inadequate performance cannot be corrected?? The U. S. Department of Labor Unemployment Insurance Program Letter (UIPL) No. 12-01, states that only those employees considered as merit-staff can determine whether to pay or deny payment to a claim. Additionally, UIPL No. 12-01 Change 2 states that, ?Determinations of overpayments or fraud must be made by merit-staffed employees.? The Department?s SPP 1053 Code of Conduct, Ethics and Values Policy, Attachment A: Unemployment Insurance Ethics Policy states that employees are not permitted to do the following: ? Investigate or attempt to investigate suspected fraud unless it is within their assigned duties. ? Backdate a claim, transfer claim status retroactively (UI to UCFE, UCX to TRA, etc.), alter information provided by a claimant or employer, or change or defer a UI document due date without valid documentation or approval of the appropriate branch chief or UI Director. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 10.01 of the Green Book, the Department should design control activities to achieve objectives and respond to risks. Segregation of duties contribute to the design, implementation, and operating effectiveness of control activities. Under Paragraph 10.03 of the Green Book, the Department should divide or segregate key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets so that no one individual controls all key aspects of a transaction or event. What problems did the audit work identify? The Department did not comply with federal regulations or its own policies and procedures related to the clearing of fraud holds during Fiscal Year 2022. Specifically, we identified issues with 32 of the 60 (53 percent) fraud holds we tested, as follows: ? The Department cleared 12 of the 60 fraud holds tested (20 percent) without performing an investigation or providing evidence of the reasoning used to clear the hold. Specifically, when we asked for investigation documentation for the 12 fraud holds, the Department indicated these were cleared without an investigation, and there were no related log notes in Salesforce, as required. ? For 20 of the 48 cases in our sample (42 percent) for which the Department did conduct an investigation, it did not segregate the duty of investigating the fraud hold and clearing the fraud hold from MyUI+. Specifically, in these cases, only one person conducted the investigation, concluded on the investigation, and cleared the fraud hold in MyUI+. ? One of the 20 Department staff who cleared a portion (5 percent) of the 60 fraud holds we sampled was not authorized to clear fraud holds from MyUI+ because the individual was not considered to be merit-staffed. Further, this unauthorized individual cleared 11 of 12 fraud holds we identified above that did not have an investigation, as required. We also found that this individual cleared an additional 55 fraud holds outside of our sample during Fiscal Year 2022. Why did these problems occur? The Department did not have sufficient internal controls in place, including appropriate policies and procedures, to ensure it enforced compliance with federal and Department-level requirements regarding the clearing of UI fraud holds during Fiscal Year 2022, as follows: ? The Department did not ensure that all fraud hold claims cleared in MyUI+ had a related log note in Salesforce that explained the rationale for clearing the hold, or that there was an investigation performed over the fraud hold prior to it being cleared in MyUI+. Specifically, in 11 of the 12 instances, the Department?s controls failed to prevent non-merit staff from using their MyUI+ access inappropriately, and in the other instance, Department controls failed to ensure the UI claim was reviewed by the UI section that reviews fraud holds rather than the UI section that resolves non-fraud UI claims. The Department provided full, rather than read-only access to the non-merit, Executive Director?s Office?s staff member noted in our finding. UI management indicated that they gave the individual full access to MyUI+ during the height of the pandemic with the assumption that the individual would use such access in a read-only manner solely to review claim information for inquiries coming through the Executive Director's Office. According to UI Division leadership, after they identified that the individual had full access during Fiscal Year 2022, they changed the individual?s access to read-only in January 2022. ? The Department lacked policies regarding management override of controls related to the clearing of fraud holds, in order to prevent or appropriately manage those responsibilities. UI staff indicated that in some cases, the non-merit, Executive Director?s Office?s staff member noted in our finding would reach out to other staff within the UI Division to help escalate the MyUI+ fraud hold clearing process. In some of these instances, because of the position of the individual within the Executive Director?s Office, UI staff circumvented the normal escalation process and aided the individual with clearing the fraud hold. ? The Department?s current policies and procedures do not require segregation of duties between those staff who investigate a fraud hold, and those staff who remove the fraud hold in MyUI+. Why do these problems matter? Improper segregation of duties, including the separation of responsibilities for both investigating and clearing potential fraud holds, leaves the UI program vulnerable to fraudulent activity. Specifically, fraud risk increases if there is no segregation between the investigation and the actual clearing of the fraud hold from MyUI+ and, as a result, the same staff could inappropriately clear holds and initiate UI payments. Further, a lack of strong checks and balances within the UI program could erode the integrity of the program at large, ultimately negatively impacting public trust. Strong internal controls related to UI fraud are especially important given the large amount of funds that are paid by the Department for UI claims each year and the significant amount of fraudulent claims that are paid by the Department. For example, the Department recorded an estimated receivable for amounts due back to the Department of $45 million for fraudulently-obtained UI claims at June 30, 2022. Without strengthening its controls over UI claims and fraud holds, there is a risk that a significant amount of UI funds could continue to be paid out each year for fraudulently obtained UI claims. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-070 The Department of Labor and Employment (Department) should strengthen its internal controls over Unemployment Insurance (UI) program integrity holds by: A. Ensuring all fraud holds are properly investigated and documented with a log note in Salesforce that explains the rationale for releasing the claim, prior to releasing the claim in MyUI+. B. Adequately reviewing claims for a fraud indicator to ensure the hold is sent to the appropriate UI section for resolution. C. Ensuring Department staff are given the appropriate access in MyUI+ to prevent individuals from clearing fraud holds inappropriately and periodically monitoring access to ensure access levels remain appropriate. D. Instituting policies and procedures over management override of internal controls related to UI claims and providing staff training on those policies and procedures. This should include ensuring that UI staff are aware of the importance of following all procedures related to fraud holds and that any inappropriate requests or pressures are communicated through the appropriate channels. E. Updating its current policies and procedures to require segregation of duties between the investigation of a fraud hold and the release of a fraud hold in MyUI+ to ensure more than one person is involved in the fraud hold process from beginning to end. Response Department of Labor and Employment A. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department is moving all adjudication and investigation of program integrity holds into the MyUI+ system, so there will be one system of record. The Department will ensure that all program integrity holds have all documentation through adjudication and investigation, including log notes. The Department anticipates this to be fully implemented by July 2024. B. Agree Implementation Date: July 2024 The Department agrees with this finding. The department has modified processes to ensure all holds are only routed to the appropriate team to be adjudicated. In addition the Department is working to have all claims identified as fraud delivered in a workflow process in MyUI+ rather than the various processes in place now. Further the department is working with our MyUI+ system experts to implement new technology to strengthen and streamline the fraud indicator escalation process and systems within MyUI+. In working with our MyUI+ system experts, the Department anticipates this to be fully implemented by July 2024. C. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department will continue strengthening security in this area and internal procedures to periodically monitor the potential for internal fraud activities. Additionally, the Department will periodically monitor and review My UI+ access levels for appropriateness. In consultation with our MyUI+ systems experts, the Department anticipates this finding to be fully implemented by July 2024. D. Agree Implementation Date: July 2023 The Department agrees with this finding. The Department will reinforce and strengthen the ethics policies in yearly communication to staff and tighten escalation policies to ensure pressures and inappropriate requests are handled in accordance with guidelines. The Department anticipates this will be completed by July 2023. E. Disagree When a PI hold is identified as being highly suspicious for criminally fraudulent activity, it is routed to a specialized unit for review, thereby leaving the standard adjudication process. This is handled by passing the review to the UI Investigations and/or Criminal Enforcement (ICE) unit. The investigator performs their investigation and if no actual fraudulent activity is found they will release the hold. The UI Division also performs several quality control reviews of claims and claim decisions via Benefits Payment Control (BPC), Benefits Accuracy Measurements (BAM), Benefits Timeliness and Quality (BTQ), and internal Quality Assurance (QA) reviews. Claims are reviewed for such criteria as adequate support documentation, benefit payment accuracy, timely processing, and correct claim decision determination on all program integrity holds. The Green Book states in Section 10.14, ? If segregation of duties is not practical within an operational process because of limited personnel or other factors, management designs alternative control activities to address the risk of fraud, waste, or abuse in the operational process.? CDLE believes the reviews represent adequate and sufficient compensating controls for the need for segregation of duties on fraud holds. Changing the current process would hinder our ability to deliver UI benefit services timely to our customers and would put us in jeopardy of fulfilling our federal and state payment timeliness requirements. Auditor?s Addendum Segregating the duties between investigating and releasing a fraud hold in MyUI+ reduces the risk of an employee inappropriately and potentially fraudulently clearing the hold without conducting a proper investigation. The issues identified in our audit indicate that the Department?s current compensating controls did not identify that a current employee released fraud holds without a proper investigation. The Department should consider updating its procedures and processes to segregate these duties to reduce the risk of this occurring in the future.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Labor and Employment (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-063 Unemployment Insurance?Federal Reporting The Department?s Accounting Section is responsible for completing the following two federal financial reports for the UI program and ensuring the reports are accurate, complete, and submitted to the federal government by the required deadline. The Accounting Section uses bank statements and reports from the Colorado Operations Resource Engine (CORE), the State?s accounting system, to create a workbook with the information and uses that workbook to complete the reports. ? ETA 9130, Financial Status Report, UI Programs. This is a quarterly report used to report the Department?s UI program and administrative expenditures. Financial data is required to be reported cumulatively from grant inception through the end of the reporting period. ? ETA 2112, UI Financial Transaction Summary. This is a monthly report that is a summary of the UI program?s transactions, which account for all funds received in, passed through, or paid out of the state employment fund during the applicable month. The UI division is responsible for completing the following federal report for the UI program and ensuring the report is accurate, complete, and submitted to the federal government by the required timeline. The UI division uses data pulled from MyUI+, the UI claims and benefits system, to generate two reports to fill out the ETA 191 report, described as follows. ? ETA 191, Financial Status of UCFE/UCX. This is a quarterly report on the State?s unemployment compensation expenditures paid by the Department to former federal employees (UCFE) and ex-service members (UCX) who have filed with the Department for unemployment benefits, and total amount of benefits paid to claimants of specific federal agencies. The federal government uses this report to request reimbursement of UCFE and UCX benefit payments from federal and military agencies. The federal government reimburses the Department for these benefit payments. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls in place over and complied with federal reporting requirements for the UI program during Fiscal Year 2021. As part of our audit work, we gained an understanding of the Department?s procedures that were in place to prepare the federal reports. In addition, we reviewed four ETA 2112 reports and two ETA 191 reports submitted to the federal government for Fiscal Year 2021 to ensure they were accurate, complete, and submitted by the required deadline. We also requested the Department?s policies and procedures for completing the reports, as well as the Department?s supporting documentation for the reports. How were the results of the audit work measured? We measured the results of our audit against the following: In accordance with Uniform Guidance [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and terms and conditions of the federal award. In accordance with the OSC?s policy Internal Control System, state agencies shall use the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, as its framework for its system of internal control. Green Book, Paragraph OV4.08, Documentation Requirements, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. Green Book Paragraph 12.02, Documentation of Responsibilities through Policies, specifically indicates that management should document in their policies the internal control responsibilities of the organization. The U.S. Department of Labor Unemployment Insurance Handbook 401 (Handbook) states that the ETA 2112 is due the first day of the second month following the month that the data in the report represents. In addition, the Handbook states that the ETA 191 is due by the 25th of the month following the close of the quarter. What problems did the audit work identify? We identified issues with 2 of the 4 (50 percent) ETA 2112 reports we tested, and 1 of the 2 (50 percent) ETA 191 reports we tested. Specifically, we identified the following: ETA 2112. We identified four issues with the September 2020 report, as follows: ? The Department could not provide support for $50.6 million reported as federal tax withholding on the report. ? The Department could not provide documentation related to the FPUC deposits and disbursements reported on the report. Specifically, the Department reported FPUC deposits as $27.0 million and FPUC Disbursements as $28.4 million. Because the Department could not provide documentation, we could not determine the correct amounts that should have been reported. ? The Department overstated the deposit amount for the intra-account transfer line by $240.2 million. Specifically, the Department reported that the amount deposited during the month for the intra-account transfers was $378.1 million, but the supporting documentation we reviewed showed the deposits totaled $137.9 million. ? The Department submitted the report on November 5, 2020, or 3 days after the deadline of November 2, 2020. In the February 2021 report, we identified that the Department understated reimbursement benefits from nonprofits by $540,000, reimbursements from local governments by $1.1 million; and reimbursements from state government by $204,700. Finally, based on discussion with the Department, it does not protect the formulas in its ETA 2112 workbooks it uses to prepare the reports in order to prevent intentional or inadvertent changes to calculations. ETA 191. We identified two issues with the ETA 191 report for the quarter ended March 2021 report. First, the Department failed to appropriately correct a federal Department of Labor-identified error from the previous quarter for expenditures for military agencies. Specifically, the Department incorrectly adjusted the $1,089,761, by $2,100, which was an under correction of the error of $2,120. Second, the Department submitted the report on May 14, 2021, nearly a month after the April 16, 2021, deadline. Why did these problems occur? The Department did not have sufficient internal controls in place to ensure that the federal reports and associated documentation were accurate and complete during Fiscal Year 2021. Specifically, the Department does not have formal, documented policies for completing the reports or a requirement that the workbooks are protected. Although the Department has a procedure document that provides instructions on how to complete the federal reports, the procedures do not include a requirement for a supervisory review of these reports prior to submitting them to the federal government. Some of the errors we identified were due to the wrong information being input into the reports, which a review could have caught and corrected prior to the Department submitting the report to the federal government. Why do these problems matter? Strong internal controls over federal reporting, including formal, documented policies, protection of formulas in the workbooks used to prepare the reports to prevent intentional or inadvertent changes to calculations, and adequate supervisory review, are necessary to ensure that the Department is in compliance with federal reporting requirements. Errors in the federal reports could cause the users of these reports to rely on incorrect information. This could have a negative impact on the Department?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-063 The Department of Labor and Employment should strengthen its internal controls over federal reporting by developing, formally documenting, and implementing policies for completing its federal reports for the Unemployment Insurance program. These policies should require the workbooks used to prepare the reports to be protected and that a supervisory review occurs prior to submitting the reports to the federal government. Response Department of Labor and Employment Agree Implementation Date: March 2023 CDLE will continue to develop, formally document, and implement policies for completing its federal reports for the Unemployment Insurance program. These policies will require the workbooks used to prepare the reports to be protected, for the data to be substantiated, and will require supervisory review on a monthly basis prior to submitting the reports to the federal government.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-070 Unemployment Insurance Program Integrity Fraud Holds The Department?s UI Division is responsible for the administration and monitoring of Colorado?s UI programs, including the collection of unemployment premiums from employers, the payment of UI benefits to claimants, and the performance of audits and investigations of premiums and benefits to ensure they are properly paid. Employer-paid premiums are the primary source of funding for UI benefits. When an individual applies for UI benefits, they are called a claimant, and the application is called a claim. Each claimant creates an account in MyUI+, the Department?s unemployment benefit system, in order to apply for unemployment benefits. The Department reviews, or adjudicates, claims to ensure that claimants are eligible and entitled to receive UI benefits. As part of the adjudication process, wage checks for claimants are compared to employer reported wages submitted to the Department on a quarterly basis and the Department sends a notification to all employers that the claimant worked for within the last 18 months to determine the validity and reason for the claimant leaving the workplace. In addition, Department staff indicate that, on a weekly basis, they perform reviews to identify potential issues with a claimant?s ability and availability to work, and to determine whether the claimant is accurately reporting earned income. If information provided by an interested party, such as a former employer, relating to the reason for leaving the workforce does not agree to the claimant information, the Department follows up on the information and issues eligibility determinations, as appropriate. In Fiscal Year 2022, the Department paid $1.1 billion in UI benefits. The Department has processes and systems to detect and prevent identity theft related to UI benefits. For example, when the Department identifies a claim with characteristics that are indicators of fraud, it places a fraud hold (also known as a program integrity hold) on the claimant?s UI claim, which holds the claim for investigation and which prevents any future benefit payments to the claimant until the fraud hold is removed and eligibility is determined. For each fraud hold, the Department has to determine if the identity of the individual filing the claim matches the personally identifiable information used on the claim. Once that is verified, the Department then must verify that the individual did not make any false statements in order to establish program eligibility. The steps that the Department takes to resolve a fraud hold differ depending on the characteristics of the claim that caused the Department to question its legitimacy. If Department staff determine that the fraud hold was not legitimate, the Department clears the hold in MyUI+ and then proceeds with determining if the individual is eligible to receive UI benefits. The Department uses an automated system, called ID.me, as part of its identity verification process. ID.me is a federally-certified identity provider that assists the Department in verifying claimants? identity. In some instances, MyUI+ will clear the fraud hold if the claimant passes ID.me and the claim does not need further investigation. In other cases, the Department performs an investigation to determine if the fraud hold is legitimate, or if the hold was placed in error. According to the information in MyUI+, the Department cleared 54,047 fraud holds during Fiscal Year 2022 ? 44,936 were cleared through the ID.me process, and 9,111 were cleared by the Department. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls in place over fraud holds during Fiscal Year 2022, including whether only appropriate, authorized individuals cleared the fraud hold from MyUI+, and if the Department had adequate segregation of duties between staff investigating a fraud hold, and staff releasing the hold in MyUI+. As part of our audit work, we requested the Department?s policies and procedures for their investigation process and documentation used to support the Department?s investigations that resulted in clearing a fraud hold, and inquired how the Department determined who is authorized to release fraud holds from MyUI+. The Department?s documentation included case reports for the investigations and log notes from Salesforce, the Department?s software that is primarily used as a workflow management tool and documentation repository for UI claims requiring an investigation. We selected a sample of 60 of the 9,111 fraud holds that were cleared by the Department during Fiscal Year 2022 to determine if the Department performed an investigation prior to releasing the fraud hold in MyUI+. In addition, as part of our testing of the sample, we determined that 20 different Department staff cleared the 60 fraud holds in MyUI+; we performed testing to determine if those staff were authorized to clear the holds in MyUI+. How were the results of the audit work measured? We measured the results of our audit against the following: Section 7511, Part V, of the Employment Security Manual (ESM) requires state UI laws to include provisions for such methods of administration as are, within reason, calculated (1) to detect benefits paid through error by the state UI agency or through willful misrepresentation or error by the claimant or others, (2) to deter claimants from obtaining benefits through willful misrepresentation, and (3) to recover benefits overpaid under certain circumstances. These required functions are accomplished through designated staff responsible for promoting and maintaining the integrity of the UI program through prevention, detection, investigations, establishment, and recovery of overpayments. Designated staff also prepare cases for prosecution. The Department?s UI Investigation Procedures state that if Department staff determine that a fraud hold that they are investigating can be released in MyUI+, Department staff should write an event log note in Salesforce. Information security is the practice of protecting information by mitigating information risk. ISO 27001 Standard for Information Security Management Systems is the international standard for information security, and its best practice approach helps organizations manage their information security by addressing people, processes, and technology. User-access management has the following objectives: ? Ensure authorized user access ? Prevent unauthorized access to information systems Expanding on the objectives from ISO 27001, a broad set of business-level objectives for user-access management can be defined as follows: ? Allow only authorized users to have access to information and resources ? Restrict access to the least privileges required by these authorized users to fulfill their business role The federal Social Security Act [Section 303(a)(1), SSA], contains a merit-based system requirement for the UI program. Specifically, this section requires that, as a condition of receiving federal UI administrative grants, states must have laws that include ?provision for such methods of administration? that includes a merit system. A merit system is defined as the process of promoting and hiring government employees based on their ability to perform a job, rather than on their political connections. As part of this requirement, any position which involves the determination of whether or not a UI claimant will be paid, or which involves determining an employer's liability for contributions, must be ?merit staffed.? According to federal regulations [5 CFR 900.603, Standards For a Merit System of Personnel Administration], ?The quality of public service can be improved by the development of systems of personnel administration consistent with such merit principles as - (a) Recruiting, selecting, and advancing employees on the basis of their relative ability, knowledge, and skills, including open consideration of qualified applicants for initial appointment. (b) Providing equitable and adequate compensation. (c) Training employees, as needed, to assure high quality performance. (d) Retaining employees on the basis of the adequacy of their performance, correcting inadequate performance, and separating employees whose inadequate performance cannot be corrected?? The U. S. Department of Labor Unemployment Insurance Program Letter (UIPL) No. 12-01, states that only those employees considered as merit-staff can determine whether to pay or deny payment to a claim. Additionally, UIPL No. 12-01 Change 2 states that, ?Determinations of overpayments or fraud must be made by merit-staffed employees.? The Department?s SPP 1053 Code of Conduct, Ethics and Values Policy, Attachment A: Unemployment Insurance Ethics Policy states that employees are not permitted to do the following: ? Investigate or attempt to investigate suspected fraud unless it is within their assigned duties. ? Backdate a claim, transfer claim status retroactively (UI to UCFE, UCX to TRA, etc.), alter information provided by a claimant or employer, or change or defer a UI document due date without valid documentation or approval of the appropriate branch chief or UI Director. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 10.01 of the Green Book, the Department should design control activities to achieve objectives and respond to risks. Segregation of duties contribute to the design, implementation, and operating effectiveness of control activities. Under Paragraph 10.03 of the Green Book, the Department should divide or segregate key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets so that no one individual controls all key aspects of a transaction or event. What problems did the audit work identify? The Department did not comply with federal regulations or its own policies and procedures related to the clearing of fraud holds during Fiscal Year 2022. Specifically, we identified issues with 32 of the 60 (53 percent) fraud holds we tested, as follows: ? The Department cleared 12 of the 60 fraud holds tested (20 percent) without performing an investigation or providing evidence of the reasoning used to clear the hold. Specifically, when we asked for investigation documentation for the 12 fraud holds, the Department indicated these were cleared without an investigation, and there were no related log notes in Salesforce, as required. ? For 20 of the 48 cases in our sample (42 percent) for which the Department did conduct an investigation, it did not segregate the duty of investigating the fraud hold and clearing the fraud hold from MyUI+. Specifically, in these cases, only one person conducted the investigation, concluded on the investigation, and cleared the fraud hold in MyUI+. ? One of the 20 Department staff who cleared a portion (5 percent) of the 60 fraud holds we sampled was not authorized to clear fraud holds from MyUI+ because the individual was not considered to be merit-staffed. Further, this unauthorized individual cleared 11 of 12 fraud holds we identified above that did not have an investigation, as required. We also found that this individual cleared an additional 55 fraud holds outside of our sample during Fiscal Year 2022. Why did these problems occur? The Department did not have sufficient internal controls in place, including appropriate policies and procedures, to ensure it enforced compliance with federal and Department-level requirements regarding the clearing of UI fraud holds during Fiscal Year 2022, as follows: ? The Department did not ensure that all fraud hold claims cleared in MyUI+ had a related log note in Salesforce that explained the rationale for clearing the hold, or that there was an investigation performed over the fraud hold prior to it being cleared in MyUI+. Specifically, in 11 of the 12 instances, the Department?s controls failed to prevent non-merit staff from using their MyUI+ access inappropriately, and in the other instance, Department controls failed to ensure the UI claim was reviewed by the UI section that reviews fraud holds rather than the UI section that resolves non-fraud UI claims. The Department provided full, rather than read-only access to the non-merit, Executive Director?s Office?s staff member noted in our finding. UI management indicated that they gave the individual full access to MyUI+ during the height of the pandemic with the assumption that the individual would use such access in a read-only manner solely to review claim information for inquiries coming through the Executive Director's Office. According to UI Division leadership, after they identified that the individual had full access during Fiscal Year 2022, they changed the individual?s access to read-only in January 2022. ? The Department lacked policies regarding management override of controls related to the clearing of fraud holds, in order to prevent or appropriately manage those responsibilities. UI staff indicated that in some cases, the non-merit, Executive Director?s Office?s staff member noted in our finding would reach out to other staff within the UI Division to help escalate the MyUI+ fraud hold clearing process. In some of these instances, because of the position of the individual within the Executive Director?s Office, UI staff circumvented the normal escalation process and aided the individual with clearing the fraud hold. ? The Department?s current policies and procedures do not require segregation of duties between those staff who investigate a fraud hold, and those staff who remove the fraud hold in MyUI+. Why do these problems matter? Improper segregation of duties, including the separation of responsibilities for both investigating and clearing potential fraud holds, leaves the UI program vulnerable to fraudulent activity. Specifically, fraud risk increases if there is no segregation between the investigation and the actual clearing of the fraud hold from MyUI+ and, as a result, the same staff could inappropriately clear holds and initiate UI payments. Further, a lack of strong checks and balances within the UI program could erode the integrity of the program at large, ultimately negatively impacting public trust. Strong internal controls related to UI fraud are especially important given the large amount of funds that are paid by the Department for UI claims each year and the significant amount of fraudulent claims that are paid by the Department. For example, the Department recorded an estimated receivable for amounts due back to the Department of $45 million for fraudulently-obtained UI claims at June 30, 2022. Without strengthening its controls over UI claims and fraud holds, there is a risk that a significant amount of UI funds could continue to be paid out each year for fraudulently obtained UI claims. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-070 The Department of Labor and Employment (Department) should strengthen its internal controls over Unemployment Insurance (UI) program integrity holds by: A. Ensuring all fraud holds are properly investigated and documented with a log note in Salesforce that explains the rationale for releasing the claim, prior to releasing the claim in MyUI+. B. Adequately reviewing claims for a fraud indicator to ensure the hold is sent to the appropriate UI section for resolution. C. Ensuring Department staff are given the appropriate access in MyUI+ to prevent individuals from clearing fraud holds inappropriately and periodically monitoring access to ensure access levels remain appropriate. D. Instituting policies and procedures over management override of internal controls related to UI claims and providing staff training on those policies and procedures. This should include ensuring that UI staff are aware of the importance of following all procedures related to fraud holds and that any inappropriate requests or pressures are communicated through the appropriate channels. E. Updating its current policies and procedures to require segregation of duties between the investigation of a fraud hold and the release of a fraud hold in MyUI+ to ensure more than one person is involved in the fraud hold process from beginning to end. Response Department of Labor and Employment A. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department is moving all adjudication and investigation of program integrity holds into the MyUI+ system, so there will be one system of record. The Department will ensure that all program integrity holds have all documentation through adjudication and investigation, including log notes. The Department anticipates this to be fully implemented by July 2024. B. Agree Implementation Date: July 2024 The Department agrees with this finding. The department has modified processes to ensure all holds are only routed to the appropriate team to be adjudicated. In addition the Department is working to have all claims identified as fraud delivered in a workflow process in MyUI+ rather than the various processes in place now. Further the department is working with our MyUI+ system experts to implement new technology to strengthen and streamline the fraud indicator escalation process and systems within MyUI+. In working with our MyUI+ system experts, the Department anticipates this to be fully implemented by July 2024. C. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department will continue strengthening security in this area and internal procedures to periodically monitor the potential for internal fraud activities. Additionally, the Department will periodically monitor and review My UI+ access levels for appropriateness. In consultation with our MyUI+ systems experts, the Department anticipates this finding to be fully implemented by July 2024. D. Agree Implementation Date: July 2023 The Department agrees with this finding. The Department will reinforce and strengthen the ethics policies in yearly communication to staff and tighten escalation policies to ensure pressures and inappropriate requests are handled in accordance with guidelines. The Department anticipates this will be completed by July 2023. E. Disagree When a PI hold is identified as being highly suspicious for criminally fraudulent activity, it is routed to a specialized unit for review, thereby leaving the standard adjudication process. This is handled by passing the review to the UI Investigations and/or Criminal Enforcement (ICE) unit. The investigator performs their investigation and if no actual fraudulent activity is found they will release the hold. The UI Division also performs several quality control reviews of claims and claim decisions via Benefits Payment Control (BPC), Benefits Accuracy Measurements (BAM), Benefits Timeliness and Quality (BTQ), and internal Quality Assurance (QA) reviews. Claims are reviewed for such criteria as adequate support documentation, benefit payment accuracy, timely processing, and correct claim decision determination on all program integrity holds. The Green Book states in Section 10.14, ? If segregation of duties is not practical within an operational process because of limited personnel or other factors, management designs alternative control activities to address the risk of fraud, waste, or abuse in the operational process.? CDLE believes the reviews represent adequate and sufficient compensating controls for the need for segregation of duties on fraud holds. Changing the current process would hinder our ability to deliver UI benefit services timely to our customers and would put us in jeopardy of fulfilling our federal and state payment timeliness requirements. Auditor?s Addendum Segregating the duties between investigating and releasing a fraud hold in MyUI+ reduces the risk of an employee inappropriately and potentially fraudulently clearing the hold without conducting a proper investigation. The issues identified in our audit indicate that the Department?s current compensating controls did not identify that a current employee released fraud holds without a proper investigation. The Department should consider updating its procedures and processes to segregate these duties to reduce the risk of this occurring in the future.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Labor and Employment (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-063 Unemployment Insurance?Federal Reporting The Department?s Accounting Section is responsible for completing the following two federal financial reports for the UI program and ensuring the reports are accurate, complete, and submitted to the federal government by the required deadline. The Accounting Section uses bank statements and reports from the Colorado Operations Resource Engine (CORE), the State?s accounting system, to create a workbook with the information and uses that workbook to complete the reports. ? ETA 9130, Financial Status Report, UI Programs. This is a quarterly report used to report the Department?s UI program and administrative expenditures. Financial data is required to be reported cumulatively from grant inception through the end of the reporting period. ? ETA 2112, UI Financial Transaction Summary. This is a monthly report that is a summary of the UI program?s transactions, which account for all funds received in, passed through, or paid out of the state employment fund during the applicable month. The UI division is responsible for completing the following federal report for the UI program and ensuring the report is accurate, complete, and submitted to the federal government by the required timeline. The UI division uses data pulled from MyUI+, the UI claims and benefits system, to generate two reports to fill out the ETA 191 report, described as follows. ? ETA 191, Financial Status of UCFE/UCX. This is a quarterly report on the State?s unemployment compensation expenditures paid by the Department to former federal employees (UCFE) and ex-service members (UCX) who have filed with the Department for unemployment benefits, and total amount of benefits paid to claimants of specific federal agencies. The federal government uses this report to request reimbursement of UCFE and UCX benefit payments from federal and military agencies. The federal government reimburses the Department for these benefit payments. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls in place over and complied with federal reporting requirements for the UI program during Fiscal Year 2021. As part of our audit work, we gained an understanding of the Department?s procedures that were in place to prepare the federal reports. In addition, we reviewed four ETA 2112 reports and two ETA 191 reports submitted to the federal government for Fiscal Year 2021 to ensure they were accurate, complete, and submitted by the required deadline. We also requested the Department?s policies and procedures for completing the reports, as well as the Department?s supporting documentation for the reports. How were the results of the audit work measured? We measured the results of our audit against the following: In accordance with Uniform Guidance [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and terms and conditions of the federal award. In accordance with the OSC?s policy Internal Control System, state agencies shall use the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, as its framework for its system of internal control. Green Book, Paragraph OV4.08, Documentation Requirements, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. Green Book Paragraph 12.02, Documentation of Responsibilities through Policies, specifically indicates that management should document in their policies the internal control responsibilities of the organization. The U.S. Department of Labor Unemployment Insurance Handbook 401 (Handbook) states that the ETA 2112 is due the first day of the second month following the month that the data in the report represents. In addition, the Handbook states that the ETA 191 is due by the 25th of the month following the close of the quarter. What problems did the audit work identify? We identified issues with 2 of the 4 (50 percent) ETA 2112 reports we tested, and 1 of the 2 (50 percent) ETA 191 reports we tested. Specifically, we identified the following: ETA 2112. We identified four issues with the September 2020 report, as follows: ? The Department could not provide support for $50.6 million reported as federal tax withholding on the report. ? The Department could not provide documentation related to the FPUC deposits and disbursements reported on the report. Specifically, the Department reported FPUC deposits as $27.0 million and FPUC Disbursements as $28.4 million. Because the Department could not provide documentation, we could not determine the correct amounts that should have been reported. ? The Department overstated the deposit amount for the intra-account transfer line by $240.2 million. Specifically, the Department reported that the amount deposited during the month for the intra-account transfers was $378.1 million, but the supporting documentation we reviewed showed the deposits totaled $137.9 million. ? The Department submitted the report on November 5, 2020, or 3 days after the deadline of November 2, 2020. In the February 2021 report, we identified that the Department understated reimbursement benefits from nonprofits by $540,000, reimbursements from local governments by $1.1 million; and reimbursements from state government by $204,700. Finally, based on discussion with the Department, it does not protect the formulas in its ETA 2112 workbooks it uses to prepare the reports in order to prevent intentional or inadvertent changes to calculations. ETA 191. We identified two issues with the ETA 191 report for the quarter ended March 2021 report. First, the Department failed to appropriately correct a federal Department of Labor-identified error from the previous quarter for expenditures for military agencies. Specifically, the Department incorrectly adjusted the $1,089,761, by $2,100, which was an under correction of the error of $2,120. Second, the Department submitted the report on May 14, 2021, nearly a month after the April 16, 2021, deadline. Why did these problems occur? The Department did not have sufficient internal controls in place to ensure that the federal reports and associated documentation were accurate and complete during Fiscal Year 2021. Specifically, the Department does not have formal, documented policies for completing the reports or a requirement that the workbooks are protected. Although the Department has a procedure document that provides instructions on how to complete the federal reports, the procedures do not include a requirement for a supervisory review of these reports prior to submitting them to the federal government. Some of the errors we identified were due to the wrong information being input into the reports, which a review could have caught and corrected prior to the Department submitting the report to the federal government. Why do these problems matter? Strong internal controls over federal reporting, including formal, documented policies, protection of formulas in the workbooks used to prepare the reports to prevent intentional or inadvertent changes to calculations, and adequate supervisory review, are necessary to ensure that the Department is in compliance with federal reporting requirements. Errors in the federal reports could cause the users of these reports to rely on incorrect information. This could have a negative impact on the Department?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-063 The Department of Labor and Employment should strengthen its internal controls over federal reporting by developing, formally documenting, and implementing policies for completing its federal reports for the Unemployment Insurance program. These policies should require the workbooks used to prepare the reports to be protected and that a supervisory review occurs prior to submitting the reports to the federal government. Response Department of Labor and Employment Agree Implementation Date: March 2023 CDLE will continue to develop, formally document, and implement policies for completing its federal reports for the Unemployment Insurance program. These policies will require the workbooks used to prepare the reports to be protected, for the data to be substantiated, and will require supervisory review on a monthly basis prior to submitting the reports to the federal government.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-070 Unemployment Insurance Program Integrity Fraud Holds The Department?s UI Division is responsible for the administration and monitoring of Colorado?s UI programs, including the collection of unemployment premiums from employers, the payment of UI benefits to claimants, and the performance of audits and investigations of premiums and benefits to ensure they are properly paid. Employer-paid premiums are the primary source of funding for UI benefits. When an individual applies for UI benefits, they are called a claimant, and the application is called a claim. Each claimant creates an account in MyUI+, the Department?s unemployment benefit system, in order to apply for unemployment benefits. The Department reviews, or adjudicates, claims to ensure that claimants are eligible and entitled to receive UI benefits. As part of the adjudication process, wage checks for claimants are compared to employer reported wages submitted to the Department on a quarterly basis and the Department sends a notification to all employers that the claimant worked for within the last 18 months to determine the validity and reason for the claimant leaving the workplace. In addition, Department staff indicate that, on a weekly basis, they perform reviews to identify potential issues with a claimant?s ability and availability to work, and to determine whether the claimant is accurately reporting earned income. If information provided by an interested party, such as a former employer, relating to the reason for leaving the workforce does not agree to the claimant information, the Department follows up on the information and issues eligibility determinations, as appropriate. In Fiscal Year 2022, the Department paid $1.1 billion in UI benefits. The Department has processes and systems to detect and prevent identity theft related to UI benefits. For example, when the Department identifies a claim with characteristics that are indicators of fraud, it places a fraud hold (also known as a program integrity hold) on the claimant?s UI claim, which holds the claim for investigation and which prevents any future benefit payments to the claimant until the fraud hold is removed and eligibility is determined. For each fraud hold, the Department has to determine if the identity of the individual filing the claim matches the personally identifiable information used on the claim. Once that is verified, the Department then must verify that the individual did not make any false statements in order to establish program eligibility. The steps that the Department takes to resolve a fraud hold differ depending on the characteristics of the claim that caused the Department to question its legitimacy. If Department staff determine that the fraud hold was not legitimate, the Department clears the hold in MyUI+ and then proceeds with determining if the individual is eligible to receive UI benefits. The Department uses an automated system, called ID.me, as part of its identity verification process. ID.me is a federally-certified identity provider that assists the Department in verifying claimants? identity. In some instances, MyUI+ will clear the fraud hold if the claimant passes ID.me and the claim does not need further investigation. In other cases, the Department performs an investigation to determine if the fraud hold is legitimate, or if the hold was placed in error. According to the information in MyUI+, the Department cleared 54,047 fraud holds during Fiscal Year 2022 ? 44,936 were cleared through the ID.me process, and 9,111 were cleared by the Department. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls in place over fraud holds during Fiscal Year 2022, including whether only appropriate, authorized individuals cleared the fraud hold from MyUI+, and if the Department had adequate segregation of duties between staff investigating a fraud hold, and staff releasing the hold in MyUI+. As part of our audit work, we requested the Department?s policies and procedures for their investigation process and documentation used to support the Department?s investigations that resulted in clearing a fraud hold, and inquired how the Department determined who is authorized to release fraud holds from MyUI+. The Department?s documentation included case reports for the investigations and log notes from Salesforce, the Department?s software that is primarily used as a workflow management tool and documentation repository for UI claims requiring an investigation. We selected a sample of 60 of the 9,111 fraud holds that were cleared by the Department during Fiscal Year 2022 to determine if the Department performed an investigation prior to releasing the fraud hold in MyUI+. In addition, as part of our testing of the sample, we determined that 20 different Department staff cleared the 60 fraud holds in MyUI+; we performed testing to determine if those staff were authorized to clear the holds in MyUI+. How were the results of the audit work measured? We measured the results of our audit against the following: Section 7511, Part V, of the Employment Security Manual (ESM) requires state UI laws to include provisions for such methods of administration as are, within reason, calculated (1) to detect benefits paid through error by the state UI agency or through willful misrepresentation or error by the claimant or others, (2) to deter claimants from obtaining benefits through willful misrepresentation, and (3) to recover benefits overpaid under certain circumstances. These required functions are accomplished through designated staff responsible for promoting and maintaining the integrity of the UI program through prevention, detection, investigations, establishment, and recovery of overpayments. Designated staff also prepare cases for prosecution. The Department?s UI Investigation Procedures state that if Department staff determine that a fraud hold that they are investigating can be released in MyUI+, Department staff should write an event log note in Salesforce. Information security is the practice of protecting information by mitigating information risk. ISO 27001 Standard for Information Security Management Systems is the international standard for information security, and its best practice approach helps organizations manage their information security by addressing people, processes, and technology. User-access management has the following objectives: ? Ensure authorized user access ? Prevent unauthorized access to information systems Expanding on the objectives from ISO 27001, a broad set of business-level objectives for user-access management can be defined as follows: ? Allow only authorized users to have access to information and resources ? Restrict access to the least privileges required by these authorized users to fulfill their business role The federal Social Security Act [Section 303(a)(1), SSA], contains a merit-based system requirement for the UI program. Specifically, this section requires that, as a condition of receiving federal UI administrative grants, states must have laws that include ?provision for such methods of administration? that includes a merit system. A merit system is defined as the process of promoting and hiring government employees based on their ability to perform a job, rather than on their political connections. As part of this requirement, any position which involves the determination of whether or not a UI claimant will be paid, or which involves determining an employer's liability for contributions, must be ?merit staffed.? According to federal regulations [5 CFR 900.603, Standards For a Merit System of Personnel Administration], ?The quality of public service can be improved by the development of systems of personnel administration consistent with such merit principles as - (a) Recruiting, selecting, and advancing employees on the basis of their relative ability, knowledge, and skills, including open consideration of qualified applicants for initial appointment. (b) Providing equitable and adequate compensation. (c) Training employees, as needed, to assure high quality performance. (d) Retaining employees on the basis of the adequacy of their performance, correcting inadequate performance, and separating employees whose inadequate performance cannot be corrected?? The U. S. Department of Labor Unemployment Insurance Program Letter (UIPL) No. 12-01, states that only those employees considered as merit-staff can determine whether to pay or deny payment to a claim. Additionally, UIPL No. 12-01 Change 2 states that, ?Determinations of overpayments or fraud must be made by merit-staffed employees.? The Department?s SPP 1053 Code of Conduct, Ethics and Values Policy, Attachment A: Unemployment Insurance Ethics Policy states that employees are not permitted to do the following: ? Investigate or attempt to investigate suspected fraud unless it is within their assigned duties. ? Backdate a claim, transfer claim status retroactively (UI to UCFE, UCX to TRA, etc.), alter information provided by a claimant or employer, or change or defer a UI document due date without valid documentation or approval of the appropriate branch chief or UI Director. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 10.01 of the Green Book, the Department should design control activities to achieve objectives and respond to risks. Segregation of duties contribute to the design, implementation, and operating effectiveness of control activities. Under Paragraph 10.03 of the Green Book, the Department should divide or segregate key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets so that no one individual controls all key aspects of a transaction or event. What problems did the audit work identify? The Department did not comply with federal regulations or its own policies and procedures related to the clearing of fraud holds during Fiscal Year 2022. Specifically, we identified issues with 32 of the 60 (53 percent) fraud holds we tested, as follows: ? The Department cleared 12 of the 60 fraud holds tested (20 percent) without performing an investigation or providing evidence of the reasoning used to clear the hold. Specifically, when we asked for investigation documentation for the 12 fraud holds, the Department indicated these were cleared without an investigation, and there were no related log notes in Salesforce, as required. ? For 20 of the 48 cases in our sample (42 percent) for which the Department did conduct an investigation, it did not segregate the duty of investigating the fraud hold and clearing the fraud hold from MyUI+. Specifically, in these cases, only one person conducted the investigation, concluded on the investigation, and cleared the fraud hold in MyUI+. ? One of the 20 Department staff who cleared a portion (5 percent) of the 60 fraud holds we sampled was not authorized to clear fraud holds from MyUI+ because the individual was not considered to be merit-staffed. Further, this unauthorized individual cleared 11 of 12 fraud holds we identified above that did not have an investigation, as required. We also found that this individual cleared an additional 55 fraud holds outside of our sample during Fiscal Year 2022. Why did these problems occur? The Department did not have sufficient internal controls in place, including appropriate policies and procedures, to ensure it enforced compliance with federal and Department-level requirements regarding the clearing of UI fraud holds during Fiscal Year 2022, as follows: ? The Department did not ensure that all fraud hold claims cleared in MyUI+ had a related log note in Salesforce that explained the rationale for clearing the hold, or that there was an investigation performed over the fraud hold prior to it being cleared in MyUI+. Specifically, in 11 of the 12 instances, the Department?s controls failed to prevent non-merit staff from using their MyUI+ access inappropriately, and in the other instance, Department controls failed to ensure the UI claim was reviewed by the UI section that reviews fraud holds rather than the UI section that resolves non-fraud UI claims. The Department provided full, rather than read-only access to the non-merit, Executive Director?s Office?s staff member noted in our finding. UI management indicated that they gave the individual full access to MyUI+ during the height of the pandemic with the assumption that the individual would use such access in a read-only manner solely to review claim information for inquiries coming through the Executive Director's Office. According to UI Division leadership, after they identified that the individual had full access during Fiscal Year 2022, they changed the individual?s access to read-only in January 2022. ? The Department lacked policies regarding management override of controls related to the clearing of fraud holds, in order to prevent or appropriately manage those responsibilities. UI staff indicated that in some cases, the non-merit, Executive Director?s Office?s staff member noted in our finding would reach out to other staff within the UI Division to help escalate the MyUI+ fraud hold clearing process. In some of these instances, because of the position of the individual within the Executive Director?s Office, UI staff circumvented the normal escalation process and aided the individual with clearing the fraud hold. ? The Department?s current policies and procedures do not require segregation of duties between those staff who investigate a fraud hold, and those staff who remove the fraud hold in MyUI+. Why do these problems matter? Improper segregation of duties, including the separation of responsibilities for both investigating and clearing potential fraud holds, leaves the UI program vulnerable to fraudulent activity. Specifically, fraud risk increases if there is no segregation between the investigation and the actual clearing of the fraud hold from MyUI+ and, as a result, the same staff could inappropriately clear holds and initiate UI payments. Further, a lack of strong checks and balances within the UI program could erode the integrity of the program at large, ultimately negatively impacting public trust. Strong internal controls related to UI fraud are especially important given the large amount of funds that are paid by the Department for UI claims each year and the significant amount of fraudulent claims that are paid by the Department. For example, the Department recorded an estimated receivable for amounts due back to the Department of $45 million for fraudulently-obtained UI claims at June 30, 2022. Without strengthening its controls over UI claims and fraud holds, there is a risk that a significant amount of UI funds could continue to be paid out each year for fraudulently obtained UI claims. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-070 The Department of Labor and Employment (Department) should strengthen its internal controls over Unemployment Insurance (UI) program integrity holds by: A. Ensuring all fraud holds are properly investigated and documented with a log note in Salesforce that explains the rationale for releasing the claim, prior to releasing the claim in MyUI+. B. Adequately reviewing claims for a fraud indicator to ensure the hold is sent to the appropriate UI section for resolution. C. Ensuring Department staff are given the appropriate access in MyUI+ to prevent individuals from clearing fraud holds inappropriately and periodically monitoring access to ensure access levels remain appropriate. D. Instituting policies and procedures over management override of internal controls related to UI claims and providing staff training on those policies and procedures. This should include ensuring that UI staff are aware of the importance of following all procedures related to fraud holds and that any inappropriate requests or pressures are communicated through the appropriate channels. E. Updating its current policies and procedures to require segregation of duties between the investigation of a fraud hold and the release of a fraud hold in MyUI+ to ensure more than one person is involved in the fraud hold process from beginning to end. Response Department of Labor and Employment A. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department is moving all adjudication and investigation of program integrity holds into the MyUI+ system, so there will be one system of record. The Department will ensure that all program integrity holds have all documentation through adjudication and investigation, including log notes. The Department anticipates this to be fully implemented by July 2024. B. Agree Implementation Date: July 2024 The Department agrees with this finding. The department has modified processes to ensure all holds are only routed to the appropriate team to be adjudicated. In addition the Department is working to have all claims identified as fraud delivered in a workflow process in MyUI+ rather than the various processes in place now. Further the department is working with our MyUI+ system experts to implement new technology to strengthen and streamline the fraud indicator escalation process and systems within MyUI+. In working with our MyUI+ system experts, the Department anticipates this to be fully implemented by July 2024. C. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department will continue strengthening security in this area and internal procedures to periodically monitor the potential for internal fraud activities. Additionally, the Department will periodically monitor and review My UI+ access levels for appropriateness. In consultation with our MyUI+ systems experts, the Department anticipates this finding to be fully implemented by July 2024. D. Agree Implementation Date: July 2023 The Department agrees with this finding. The Department will reinforce and strengthen the ethics policies in yearly communication to staff and tighten escalation policies to ensure pressures and inappropriate requests are handled in accordance with guidelines. The Department anticipates this will be completed by July 2023. E. Disagree When a PI hold is identified as being highly suspicious for criminally fraudulent activity, it is routed to a specialized unit for review, thereby leaving the standard adjudication process. This is handled by passing the review to the UI Investigations and/or Criminal Enforcement (ICE) unit. The investigator performs their investigation and if no actual fraudulent activity is found they will release the hold. The UI Division also performs several quality control reviews of claims and claim decisions via Benefits Payment Control (BPC), Benefits Accuracy Measurements (BAM), Benefits Timeliness and Quality (BTQ), and internal Quality Assurance (QA) reviews. Claims are reviewed for such criteria as adequate support documentation, benefit payment accuracy, timely processing, and correct claim decision determination on all program integrity holds. The Green Book states in Section 10.14, ? If segregation of duties is not practical within an operational process because of limited personnel or other factors, management designs alternative control activities to address the risk of fraud, waste, or abuse in the operational process.? CDLE believes the reviews represent adequate and sufficient compensating controls for the need for segregation of duties on fraud holds. Changing the current process would hinder our ability to deliver UI benefit services timely to our customers and would put us in jeopardy of fulfilling our federal and state payment timeliness requirements. Auditor?s Addendum Segregating the duties between investigating and releasing a fraud hold in MyUI+ reduces the risk of an employee inappropriately and potentially fraudulently clearing the hold without conducting a proper investigation. The issues identified in our audit indicate that the Department?s current compensating controls did not identify that a current employee released fraud holds without a proper investigation. The Department should consider updating its procedures and processes to segregate these duties to reduce the risk of this occurring in the future.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Labor and Employment (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-063 Unemployment Insurance?Federal Reporting The Department?s Accounting Section is responsible for completing the following two federal financial reports for the UI program and ensuring the reports are accurate, complete, and submitted to the federal government by the required deadline. The Accounting Section uses bank statements and reports from the Colorado Operations Resource Engine (CORE), the State?s accounting system, to create a workbook with the information and uses that workbook to complete the reports. ? ETA 9130, Financial Status Report, UI Programs. This is a quarterly report used to report the Department?s UI program and administrative expenditures. Financial data is required to be reported cumulatively from grant inception through the end of the reporting period. ? ETA 2112, UI Financial Transaction Summary. This is a monthly report that is a summary of the UI program?s transactions, which account for all funds received in, passed through, or paid out of the state employment fund during the applicable month. The UI division is responsible for completing the following federal report for the UI program and ensuring the report is accurate, complete, and submitted to the federal government by the required timeline. The UI division uses data pulled from MyUI+, the UI claims and benefits system, to generate two reports to fill out the ETA 191 report, described as follows. ? ETA 191, Financial Status of UCFE/UCX. This is a quarterly report on the State?s unemployment compensation expenditures paid by the Department to former federal employees (UCFE) and ex-service members (UCX) who have filed with the Department for unemployment benefits, and total amount of benefits paid to claimants of specific federal agencies. The federal government uses this report to request reimbursement of UCFE and UCX benefit payments from federal and military agencies. The federal government reimburses the Department for these benefit payments. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls in place over and complied with federal reporting requirements for the UI program during Fiscal Year 2021. As part of our audit work, we gained an understanding of the Department?s procedures that were in place to prepare the federal reports. In addition, we reviewed four ETA 2112 reports and two ETA 191 reports submitted to the federal government for Fiscal Year 2021 to ensure they were accurate, complete, and submitted by the required deadline. We also requested the Department?s policies and procedures for completing the reports, as well as the Department?s supporting documentation for the reports. How were the results of the audit work measured? We measured the results of our audit against the following: In accordance with Uniform Guidance [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and terms and conditions of the federal award. In accordance with the OSC?s policy Internal Control System, state agencies shall use the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, as its framework for its system of internal control. Green Book, Paragraph OV4.08, Documentation Requirements, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. Green Book Paragraph 12.02, Documentation of Responsibilities through Policies, specifically indicates that management should document in their policies the internal control responsibilities of the organization. The U.S. Department of Labor Unemployment Insurance Handbook 401 (Handbook) states that the ETA 2112 is due the first day of the second month following the month that the data in the report represents. In addition, the Handbook states that the ETA 191 is due by the 25th of the month following the close of the quarter. What problems did the audit work identify? We identified issues with 2 of the 4 (50 percent) ETA 2112 reports we tested, and 1 of the 2 (50 percent) ETA 191 reports we tested. Specifically, we identified the following: ETA 2112. We identified four issues with the September 2020 report, as follows: ? The Department could not provide support for $50.6 million reported as federal tax withholding on the report. ? The Department could not provide documentation related to the FPUC deposits and disbursements reported on the report. Specifically, the Department reported FPUC deposits as $27.0 million and FPUC Disbursements as $28.4 million. Because the Department could not provide documentation, we could not determine the correct amounts that should have been reported. ? The Department overstated the deposit amount for the intra-account transfer line by $240.2 million. Specifically, the Department reported that the amount deposited during the month for the intra-account transfers was $378.1 million, but the supporting documentation we reviewed showed the deposits totaled $137.9 million. ? The Department submitted the report on November 5, 2020, or 3 days after the deadline of November 2, 2020. In the February 2021 report, we identified that the Department understated reimbursement benefits from nonprofits by $540,000, reimbursements from local governments by $1.1 million; and reimbursements from state government by $204,700. Finally, based on discussion with the Department, it does not protect the formulas in its ETA 2112 workbooks it uses to prepare the reports in order to prevent intentional or inadvertent changes to calculations. ETA 191. We identified two issues with the ETA 191 report for the quarter ended March 2021 report. First, the Department failed to appropriately correct a federal Department of Labor-identified error from the previous quarter for expenditures for military agencies. Specifically, the Department incorrectly adjusted the $1,089,761, by $2,100, which was an under correction of the error of $2,120. Second, the Department submitted the report on May 14, 2021, nearly a month after the April 16, 2021, deadline. Why did these problems occur? The Department did not have sufficient internal controls in place to ensure that the federal reports and associated documentation were accurate and complete during Fiscal Year 2021. Specifically, the Department does not have formal, documented policies for completing the reports or a requirement that the workbooks are protected. Although the Department has a procedure document that provides instructions on how to complete the federal reports, the procedures do not include a requirement for a supervisory review of these reports prior to submitting them to the federal government. Some of the errors we identified were due to the wrong information being input into the reports, which a review could have caught and corrected prior to the Department submitting the report to the federal government. Why do these problems matter? Strong internal controls over federal reporting, including formal, documented policies, protection of formulas in the workbooks used to prepare the reports to prevent intentional or inadvertent changes to calculations, and adequate supervisory review, are necessary to ensure that the Department is in compliance with federal reporting requirements. Errors in the federal reports could cause the users of these reports to rely on incorrect information. This could have a negative impact on the Department?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-063 The Department of Labor and Employment should strengthen its internal controls over federal reporting by developing, formally documenting, and implementing policies for completing its federal reports for the Unemployment Insurance program. These policies should require the workbooks used to prepare the reports to be protected and that a supervisory review occurs prior to submitting the reports to the federal government. Response Department of Labor and Employment Agree Implementation Date: March 2023 CDLE will continue to develop, formally document, and implement policies for completing its federal reports for the Unemployment Insurance program. These policies will require the workbooks used to prepare the reports to be protected, for the data to be substantiated, and will require supervisory review on a monthly basis prior to submitting the reports to the federal government.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-070 Unemployment Insurance Program Integrity Fraud Holds The Department?s UI Division is responsible for the administration and monitoring of Colorado?s UI programs, including the collection of unemployment premiums from employers, the payment of UI benefits to claimants, and the performance of audits and investigations of premiums and benefits to ensure they are properly paid. Employer-paid premiums are the primary source of funding for UI benefits. When an individual applies for UI benefits, they are called a claimant, and the application is called a claim. Each claimant creates an account in MyUI+, the Department?s unemployment benefit system, in order to apply for unemployment benefits. The Department reviews, or adjudicates, claims to ensure that claimants are eligible and entitled to receive UI benefits. As part of the adjudication process, wage checks for claimants are compared to employer reported wages submitted to the Department on a quarterly basis and the Department sends a notification to all employers that the claimant worked for within the last 18 months to determine the validity and reason for the claimant leaving the workplace. In addition, Department staff indicate that, on a weekly basis, they perform reviews to identify potential issues with a claimant?s ability and availability to work, and to determine whether the claimant is accurately reporting earned income. If information provided by an interested party, such as a former employer, relating to the reason for leaving the workforce does not agree to the claimant information, the Department follows up on the information and issues eligibility determinations, as appropriate. In Fiscal Year 2022, the Department paid $1.1 billion in UI benefits. The Department has processes and systems to detect and prevent identity theft related to UI benefits. For example, when the Department identifies a claim with characteristics that are indicators of fraud, it places a fraud hold (also known as a program integrity hold) on the claimant?s UI claim, which holds the claim for investigation and which prevents any future benefit payments to the claimant until the fraud hold is removed and eligibility is determined. For each fraud hold, the Department has to determine if the identity of the individual filing the claim matches the personally identifiable information used on the claim. Once that is verified, the Department then must verify that the individual did not make any false statements in order to establish program eligibility. The steps that the Department takes to resolve a fraud hold differ depending on the characteristics of the claim that caused the Department to question its legitimacy. If Department staff determine that the fraud hold was not legitimate, the Department clears the hold in MyUI+ and then proceeds with determining if the individual is eligible to receive UI benefits. The Department uses an automated system, called ID.me, as part of its identity verification process. ID.me is a federally-certified identity provider that assists the Department in verifying claimants? identity. In some instances, MyUI+ will clear the fraud hold if the claimant passes ID.me and the claim does not need further investigation. In other cases, the Department performs an investigation to determine if the fraud hold is legitimate, or if the hold was placed in error. According to the information in MyUI+, the Department cleared 54,047 fraud holds during Fiscal Year 2022 ? 44,936 were cleared through the ID.me process, and 9,111 were cleared by the Department. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls in place over fraud holds during Fiscal Year 2022, including whether only appropriate, authorized individuals cleared the fraud hold from MyUI+, and if the Department had adequate segregation of duties between staff investigating a fraud hold, and staff releasing the hold in MyUI+. As part of our audit work, we requested the Department?s policies and procedures for their investigation process and documentation used to support the Department?s investigations that resulted in clearing a fraud hold, and inquired how the Department determined who is authorized to release fraud holds from MyUI+. The Department?s documentation included case reports for the investigations and log notes from Salesforce, the Department?s software that is primarily used as a workflow management tool and documentation repository for UI claims requiring an investigation. We selected a sample of 60 of the 9,111 fraud holds that were cleared by the Department during Fiscal Year 2022 to determine if the Department performed an investigation prior to releasing the fraud hold in MyUI+. In addition, as part of our testing of the sample, we determined that 20 different Department staff cleared the 60 fraud holds in MyUI+; we performed testing to determine if those staff were authorized to clear the holds in MyUI+. How were the results of the audit work measured? We measured the results of our audit against the following: Section 7511, Part V, of the Employment Security Manual (ESM) requires state UI laws to include provisions for such methods of administration as are, within reason, calculated (1) to detect benefits paid through error by the state UI agency or through willful misrepresentation or error by the claimant or others, (2) to deter claimants from obtaining benefits through willful misrepresentation, and (3) to recover benefits overpaid under certain circumstances. These required functions are accomplished through designated staff responsible for promoting and maintaining the integrity of the UI program through prevention, detection, investigations, establishment, and recovery of overpayments. Designated staff also prepare cases for prosecution. The Department?s UI Investigation Procedures state that if Department staff determine that a fraud hold that they are investigating can be released in MyUI+, Department staff should write an event log note in Salesforce. Information security is the practice of protecting information by mitigating information risk. ISO 27001 Standard for Information Security Management Systems is the international standard for information security, and its best practice approach helps organizations manage their information security by addressing people, processes, and technology. User-access management has the following objectives: ? Ensure authorized user access ? Prevent unauthorized access to information systems Expanding on the objectives from ISO 27001, a broad set of business-level objectives for user-access management can be defined as follows: ? Allow only authorized users to have access to information and resources ? Restrict access to the least privileges required by these authorized users to fulfill their business role The federal Social Security Act [Section 303(a)(1), SSA], contains a merit-based system requirement for the UI program. Specifically, this section requires that, as a condition of receiving federal UI administrative grants, states must have laws that include ?provision for such methods of administration? that includes a merit system. A merit system is defined as the process of promoting and hiring government employees based on their ability to perform a job, rather than on their political connections. As part of this requirement, any position which involves the determination of whether or not a UI claimant will be paid, or which involves determining an employer's liability for contributions, must be ?merit staffed.? According to federal regulations [5 CFR 900.603, Standards For a Merit System of Personnel Administration], ?The quality of public service can be improved by the development of systems of personnel administration consistent with such merit principles as - (a) Recruiting, selecting, and advancing employees on the basis of their relative ability, knowledge, and skills, including open consideration of qualified applicants for initial appointment. (b) Providing equitable and adequate compensation. (c) Training employees, as needed, to assure high quality performance. (d) Retaining employees on the basis of the adequacy of their performance, correcting inadequate performance, and separating employees whose inadequate performance cannot be corrected?? The U. S. Department of Labor Unemployment Insurance Program Letter (UIPL) No. 12-01, states that only those employees considered as merit-staff can determine whether to pay or deny payment to a claim. Additionally, UIPL No. 12-01 Change 2 states that, ?Determinations of overpayments or fraud must be made by merit-staffed employees.? The Department?s SPP 1053 Code of Conduct, Ethics and Values Policy, Attachment A: Unemployment Insurance Ethics Policy states that employees are not permitted to do the following: ? Investigate or attempt to investigate suspected fraud unless it is within their assigned duties. ? Backdate a claim, transfer claim status retroactively (UI to UCFE, UCX to TRA, etc.), alter information provided by a claimant or employer, or change or defer a UI document due date without valid documentation or approval of the appropriate branch chief or UI Director. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 10.01 of the Green Book, the Department should design control activities to achieve objectives and respond to risks. Segregation of duties contribute to the design, implementation, and operating effectiveness of control activities. Under Paragraph 10.03 of the Green Book, the Department should divide or segregate key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. This includes separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets so that no one individual controls all key aspects of a transaction or event. What problems did the audit work identify? The Department did not comply with federal regulations or its own policies and procedures related to the clearing of fraud holds during Fiscal Year 2022. Specifically, we identified issues with 32 of the 60 (53 percent) fraud holds we tested, as follows: ? The Department cleared 12 of the 60 fraud holds tested (20 percent) without performing an investigation or providing evidence of the reasoning used to clear the hold. Specifically, when we asked for investigation documentation for the 12 fraud holds, the Department indicated these were cleared without an investigation, and there were no related log notes in Salesforce, as required. ? For 20 of the 48 cases in our sample (42 percent) for which the Department did conduct an investigation, it did not segregate the duty of investigating the fraud hold and clearing the fraud hold from MyUI+. Specifically, in these cases, only one person conducted the investigation, concluded on the investigation, and cleared the fraud hold in MyUI+. ? One of the 20 Department staff who cleared a portion (5 percent) of the 60 fraud holds we sampled was not authorized to clear fraud holds from MyUI+ because the individual was not considered to be merit-staffed. Further, this unauthorized individual cleared 11 of 12 fraud holds we identified above that did not have an investigation, as required. We also found that this individual cleared an additional 55 fraud holds outside of our sample during Fiscal Year 2022. Why did these problems occur? The Department did not have sufficient internal controls in place, including appropriate policies and procedures, to ensure it enforced compliance with federal and Department-level requirements regarding the clearing of UI fraud holds during Fiscal Year 2022, as follows: ? The Department did not ensure that all fraud hold claims cleared in MyUI+ had a related log note in Salesforce that explained the rationale for clearing the hold, or that there was an investigation performed over the fraud hold prior to it being cleared in MyUI+. Specifically, in 11 of the 12 instances, the Department?s controls failed to prevent non-merit staff from using their MyUI+ access inappropriately, and in the other instance, Department controls failed to ensure the UI claim was reviewed by the UI section that reviews fraud holds rather than the UI section that resolves non-fraud UI claims. The Department provided full, rather than read-only access to the non-merit, Executive Director?s Office?s staff member noted in our finding. UI management indicated that they gave the individual full access to MyUI+ during the height of the pandemic with the assumption that the individual would use such access in a read-only manner solely to review claim information for inquiries coming through the Executive Director's Office. According to UI Division leadership, after they identified that the individual had full access during Fiscal Year 2022, they changed the individual?s access to read-only in January 2022. ? The Department lacked policies regarding management override of controls related to the clearing of fraud holds, in order to prevent or appropriately manage those responsibilities. UI staff indicated that in some cases, the non-merit, Executive Director?s Office?s staff member noted in our finding would reach out to other staff within the UI Division to help escalate the MyUI+ fraud hold clearing process. In some of these instances, because of the position of the individual within the Executive Director?s Office, UI staff circumvented the normal escalation process and aided the individual with clearing the fraud hold. ? The Department?s current policies and procedures do not require segregation of duties between those staff who investigate a fraud hold, and those staff who remove the fraud hold in MyUI+. Why do these problems matter? Improper segregation of duties, including the separation of responsibilities for both investigating and clearing potential fraud holds, leaves the UI program vulnerable to fraudulent activity. Specifically, fraud risk increases if there is no segregation between the investigation and the actual clearing of the fraud hold from MyUI+ and, as a result, the same staff could inappropriately clear holds and initiate UI payments. Further, a lack of strong checks and balances within the UI program could erode the integrity of the program at large, ultimately negatively impacting public trust. Strong internal controls related to UI fraud are especially important given the large amount of funds that are paid by the Department for UI claims each year and the significant amount of fraudulent claims that are paid by the Department. For example, the Department recorded an estimated receivable for amounts due back to the Department of $45 million for fraudulently-obtained UI claims at June 30, 2022. Without strengthening its controls over UI claims and fraud holds, there is a risk that a significant amount of UI funds could continue to be paid out each year for fraudulently obtained UI claims. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-070 The Department of Labor and Employment (Department) should strengthen its internal controls over Unemployment Insurance (UI) program integrity holds by: A. Ensuring all fraud holds are properly investigated and documented with a log note in Salesforce that explains the rationale for releasing the claim, prior to releasing the claim in MyUI+. B. Adequately reviewing claims for a fraud indicator to ensure the hold is sent to the appropriate UI section for resolution. C. Ensuring Department staff are given the appropriate access in MyUI+ to prevent individuals from clearing fraud holds inappropriately and periodically monitoring access to ensure access levels remain appropriate. D. Instituting policies and procedures over management override of internal controls related to UI claims and providing staff training on those policies and procedures. This should include ensuring that UI staff are aware of the importance of following all procedures related to fraud holds and that any inappropriate requests or pressures are communicated through the appropriate channels. E. Updating its current policies and procedures to require segregation of duties between the investigation of a fraud hold and the release of a fraud hold in MyUI+ to ensure more than one person is involved in the fraud hold process from beginning to end. Response Department of Labor and Employment A. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department is moving all adjudication and investigation of program integrity holds into the MyUI+ system, so there will be one system of record. The Department will ensure that all program integrity holds have all documentation through adjudication and investigation, including log notes. The Department anticipates this to be fully implemented by July 2024. B. Agree Implementation Date: July 2024 The Department agrees with this finding. The department has modified processes to ensure all holds are only routed to the appropriate team to be adjudicated. In addition the Department is working to have all claims identified as fraud delivered in a workflow process in MyUI+ rather than the various processes in place now. Further the department is working with our MyUI+ system experts to implement new technology to strengthen and streamline the fraud indicator escalation process and systems within MyUI+. In working with our MyUI+ system experts, the Department anticipates this to be fully implemented by July 2024. C. Agree Implementation Date: July 2024 The Department agrees with this finding. The Department will continue strengthening security in this area and internal procedures to periodically monitor the potential for internal fraud activities. Additionally, the Department will periodically monitor and review My UI+ access levels for appropriateness. In consultation with our MyUI+ systems experts, the Department anticipates this finding to be fully implemented by July 2024. D. Agree Implementation Date: July 2023 The Department agrees with this finding. The Department will reinforce and strengthen the ethics policies in yearly communication to staff and tighten escalation policies to ensure pressures and inappropriate requests are handled in accordance with guidelines. The Department anticipates this will be completed by July 2023. E. Disagree When a PI hold is identified as being highly suspicious for criminally fraudulent activity, it is routed to a specialized unit for review, thereby leaving the standard adjudication process. This is handled by passing the review to the UI Investigations and/or Criminal Enforcement (ICE) unit. The investigator performs their investigation and if no actual fraudulent activity is found they will release the hold. The UI Division also performs several quality control reviews of claims and claim decisions via Benefits Payment Control (BPC), Benefits Accuracy Measurements (BAM), Benefits Timeliness and Quality (BTQ), and internal Quality Assurance (QA) reviews. Claims are reviewed for such criteria as adequate support documentation, benefit payment accuracy, timely processing, and correct claim decision determination on all program integrity holds. The Green Book states in Section 10.14, ? If segregation of duties is not practical within an operational process because of limited personnel or other factors, management designs alternative control activities to address the risk of fraud, waste, or abuse in the operational process.? CDLE believes the reviews represent adequate and sufficient compensating controls for the need for segregation of duties on fraud holds. Changing the current process would hinder our ability to deliver UI benefit services timely to our customers and would put us in jeopardy of fulfilling our federal and state payment timeliness requirements. Auditor?s Addendum Segregating the duties between investigating and releasing a fraud hold in MyUI+ reduces the risk of an employee inappropriately and potentially fraudulently clearing the hold without conducting a proper investigation. The issues identified in our audit indicate that the Department?s current compensating controls did not identify that a current employee released fraud holds without a proper investigation. The Department should consider updating its procedures and processes to segregate these duties to reduce the risk of this occurring in the future.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Labor and Employment (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-063 Unemployment Insurance?Federal Reporting The Department?s Accounting Section is responsible for completing the following two federal financial reports for the UI program and ensuring the reports are accurate, complete, and submitted to the federal government by the required deadline. The Accounting Section uses bank statements and reports from the Colorado Operations Resource Engine (CORE), the State?s accounting system, to create a workbook with the information and uses that workbook to complete the reports. ? ETA 9130, Financial Status Report, UI Programs. This is a quarterly report used to report the Department?s UI program and administrative expenditures. Financial data is required to be reported cumulatively from grant inception through the end of the reporting period. ? ETA 2112, UI Financial Transaction Summary. This is a monthly report that is a summary of the UI program?s transactions, which account for all funds received in, passed through, or paid out of the state employment fund during the applicable month. The UI division is responsible for completing the following federal report for the UI program and ensuring the report is accurate, complete, and submitted to the federal government by the required timeline. The UI division uses data pulled from MyUI+, the UI claims and benefits system, to generate two reports to fill out the ETA 191 report, described as follows. ? ETA 191, Financial Status of UCFE/UCX. This is a quarterly report on the State?s unemployment compensation expenditures paid by the Department to former federal employees (UCFE) and ex-service members (UCX) who have filed with the Department for unemployment benefits, and total amount of benefits paid to claimants of specific federal agencies. The federal government uses this report to request reimbursement of UCFE and UCX benefit payments from federal and military agencies. The federal government reimburses the Department for these benefit payments. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls in place over and complied with federal reporting requirements for the UI program during Fiscal Year 2021. As part of our audit work, we gained an understanding of the Department?s procedures that were in place to prepare the federal reports. In addition, we reviewed four ETA 2112 reports and two ETA 191 reports submitted to the federal government for Fiscal Year 2021 to ensure they were accurate, complete, and submitted by the required deadline. We also requested the Department?s policies and procedures for completing the reports, as well as the Department?s supporting documentation for the reports. How were the results of the audit work measured? We measured the results of our audit against the following: In accordance with Uniform Guidance [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and terms and conditions of the federal award. In accordance with the OSC?s policy Internal Control System, state agencies shall use the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, as its framework for its system of internal control. Green Book, Paragraph OV4.08, Documentation Requirements, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. Green Book Paragraph 12.02, Documentation of Responsibilities through Policies, specifically indicates that management should document in their policies the internal control responsibilities of the organization. The U.S. Department of Labor Unemployment Insurance Handbook 401 (Handbook) states that the ETA 2112 is due the first day of the second month following the month that the data in the report represents. In addition, the Handbook states that the ETA 191 is due by the 25th of the month following the close of the quarter. What problems did the audit work identify? We identified issues with 2 of the 4 (50 percent) ETA 2112 reports we tested, and 1 of the 2 (50 percent) ETA 191 reports we tested. Specifically, we identified the following: ETA 2112. We identified four issues with the September 2020 report, as follows: ? The Department could not provide support for $50.6 million reported as federal tax withholding on the report. ? The Department could not provide documentation related to the FPUC deposits and disbursements reported on the report. Specifically, the Department reported FPUC deposits as $27.0 million and FPUC Disbursements as $28.4 million. Because the Department could not provide documentation, we could not determine the correct amounts that should have been reported. ? The Department overstated the deposit amount for the intra-account transfer line by $240.2 million. Specifically, the Department reported that the amount deposited during the month for the intra-account transfers was $378.1 million, but the supporting documentation we reviewed showed the deposits totaled $137.9 million. ? The Department submitted the report on November 5, 2020, or 3 days after the deadline of November 2, 2020. In the February 2021 report, we identified that the Department understated reimbursement benefits from nonprofits by $540,000, reimbursements from local governments by $1.1 million; and reimbursements from state government by $204,700. Finally, based on discussion with the Department, it does not protect the formulas in its ETA 2112 workbooks it uses to prepare the reports in order to prevent intentional or inadvertent changes to calculations. ETA 191. We identified two issues with the ETA 191 report for the quarter ended March 2021 report. First, the Department failed to appropriately correct a federal Department of Labor-identified error from the previous quarter for expenditures for military agencies. Specifically, the Department incorrectly adjusted the $1,089,761, by $2,100, which was an under correction of the error of $2,120. Second, the Department submitted the report on May 14, 2021, nearly a month after the April 16, 2021, deadline. Why did these problems occur? The Department did not have sufficient internal controls in place to ensure that the federal reports and associated documentation were accurate and complete during Fiscal Year 2021. Specifically, the Department does not have formal, documented policies for completing the reports or a requirement that the workbooks are protected. Although the Department has a procedure document that provides instructions on how to complete the federal reports, the procedures do not include a requirement for a supervisory review of these reports prior to submitting them to the federal government. Some of the errors we identified were due to the wrong information being input into the reports, which a review could have caught and corrected prior to the Department submitting the report to the federal government. Why do these problems matter? Strong internal controls over federal reporting, including formal, documented policies, protection of formulas in the workbooks used to prepare the reports to prevent intentional or inadvertent changes to calculations, and adequate supervisory review, are necessary to ensure that the Department is in compliance with federal reporting requirements. Errors in the federal reports could cause the users of these reports to rely on incorrect information. This could have a negative impact on the Department?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-063 The Department of Labor and Employment should strengthen its internal controls over federal reporting by developing, formally documenting, and implementing policies for completing its federal reports for the Unemployment Insurance program. These policies should require the workbooks used to prepare the reports to be protected and that a supervisory review occurs prior to submitting the reports to the federal government. Response Department of Labor and Employment Agree Implementation Date: March 2023 CDLE will continue to develop, formally document, and implement policies for completing its federal reports for the Unemployment Insurance program. These policies will require the workbooks used to prepare the reports to be protected, for the data to be substantiated, and will require supervisory review on a monthly basis prior to submitting the reports to the federal government.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-042 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In order to obtain this information, the federal government requires grant recipients to provide information to it. For example, the federal Department of Education (DOE) requires the Department to report information about subgrants, or subawards, it gives to other governments or to nonprofit organizations (also referred to as subrecipients) from the DOE grants it receives. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. The Department is specifically required to file FFATA reports through the FFATA Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department is required to file a FFATA report in the following circumstances: ? If the initial award is equal to or more than $30,000; ? If subsequent grant modifications result in a total award are equal to or more than $30,000; ? If the initial award is equal to or more than $30,000 but funding is subsequently de-obligated such that the total award amount falls below $30,000. The Department?s required FFATA reports for Fiscal Year 2022 included information on Title I Grants to Local Education Agencies [ALN 84.010] and COVID-19 Education Stabilization Fund (ESF) [84.425], specifically Elementary and Secondary School Emergency Relief (ESSER) Fund [84.425D] and American Rescue Plan - Elementary and Secondary School Emergency Relief (ARP ESSER) [84.425U]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for both programs in excess of $30,000. The Department is required to report the subaward information in FSRS no later than the end of the month following the month in which the award was made. According to the Department, during Fiscal Year 2022, it was required to submit and revise 180 and 450 FFATA reports for the Title I and ESF programs, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls over FFATA reporting during Fiscal Year 2022 and whether the information in the Department?s submitted FFATA reports was accurate and submitted in a timely manner. We requested a list of all Title I and ESF subawards made by the Department during Fiscal Year 2022. We then selected a sample of 18 Title I and 29 ESF subawards and requested copies of the FFATA reports that were uploaded to the FSRS system by the Department. The full FFATA reports are only accessible by the Department and are not fully viewable on FSRS. Once the Department provided copies of the uploaded reports, we then reviewed the FFATA reports within FSRS for each subaward selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of federal grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. The FFATA reports are required to include the following key data elements: ? Subrecipient name ? Subrecipient DUNS number ? Amount of subaward ? Subaward obligation/action date ? Date of report submission ? Subaward number ? Subaward project description ? Subrecipient names and compensation of highly compensated officers Transparency Act reporting requirements outlined on the FSRS website prescribe certain information that must be reported for these subawards, including the name of the entity receiving the award, the award amount, funding agency, and unique identifier of the entity. Federal regulations [2 CFR 200.303] require the non-Federal entity, in this instance the Department, to establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. What problems did the audit work identify? Based on our audit testwork, for the sample we tested, we determined that the Department was late in reporting all 18 of 18 Title I subawards in FSRS, by an average of 3 to 4 months, and failed to report 1 of 29 ESF subawards by the time of our audit, which represented a delay of approximately 16 months; and was late in reporting 2 of 29 ESF subawards by approximately 7 and 10 months, respectively. Collectively, these subawards totaled about $30 million for Fiscal Year 2022. The following tables summarize the results of our testing and group each exception within the following categories: Subaward Not Reported and Report Not Timely. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department reported that an influx in pandemic funding resulted in the Department experiencing a 233 percent volume increase in funding distributions and to more than 5,000 submissions and resubmissions in its required Fiscal Year 2022 FFATA reporting for all federal programs managed by the Department?s grant fiscal team. The Department indicated that its grant fiscal team also experienced staff turnover and vacancies during the year and the Department did not adequately reassign resources to ensure FFATA reporting requirements were identified and that reports were submitted on time. Initially, only one FTE was dedicated to FFATA reporting. During the year, the Department allocated a portion of the FFATA workload to another existing FTE and added an additional FTE in May 2022 to work on reconciling FFATA submissions; as a result, Department staff identified the two submissions previously missed, but the reallocations and reconciliations were not made in time to ensure the Department met all of its required FFATA report submission timelines. In addition, Department staff indicated that they made a conscious decision to not report the Title I subawards until May 2022?even though the initial subawards were finalized in January 2022?because the Department had historically received multiple funding allocations in addition to the initial allocation that required FFATA reporting for each allocation for up to 178 subawardees. However, the Department did not communicate with the federal awarding agency to determine whether waiting until it received all related allocations to submit its FFATA reports was appropriate. During the majority of Fiscal Year 2022, the Department also did not have a control, such as a reconciliation, to help identify subawards that went unreported during the fiscal year. Why do these problems matter? By failing to properly report FFATA subawards through FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, the Department fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-042 The Department of Education (Department) should strengthen its internal controls over, and ensure it complies with requirements under, the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Improving the Department?s process for determining the timing of reporting within the FFATA Subaward Reporting System. This process should include appropriately allocating staff resources for reporting responsibilities, and considerations such as expected future award allocations and communications with the federal awarding agency when it is determined to not be feasible to report information in a timely manner. B. Continuing to develop and implement reconciliation procedures to identify subawards that went unreported during the fiscal year. Response Department of Education A. Agree Implementation Date: December 31, 2022 We agree with this recommendation. In recent years, the Federal Government had multiple continuing resolutions in their budget process, resulting in CDE?s Title I allocations coming in multiple iterations. For the last several years, CDE has received revised allocations from the US Department of Education for the fiscal year as late as early summer; in one example, we received six revisions. With staffing shortages and the administrative burden to continuously revise, research issues and update FFATA for each allocation change, CDE took the step to report only the final allocation to FFATA, which was reported as of the month the awardee was awarded. However, the report was submitted later in the fiscal year. CDE will take a two-fold approach to rectify the issue related to the required FFATA reporting for Title I. First, we will report to FSRS the initial awards within 30 days following the date the awardee was provided final approval on their award. This is consistent with CDE?s approach to all other federal awards. Second, we will monitor the continuing resolutions and changes in allocations, and report only the net changes to each awardee, in the month those changes occur from the US Department of Education. Thereby, FSRS will represent the total revised award. In addition to this approach, all Title I awards will continue to be a part of our regular FFATA reconciliation process. B. Agree Implementation Date: December 31, 2022 We agree with this recommendation. CDE identified its own failure to report two ESSER subawards to FFATA within 30 days as part of the successful development and implementation of a FFATA-specific reconciliation process in Summer 2022. CDE will continue to refine and improve its FFATA reconciliation process.
Finding 2022-042 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In order to obtain this information, the federal government requires grant recipients to provide information to it. For example, the federal Department of Education (DOE) requires the Department to report information about subgrants, or subawards, it gives to other governments or to nonprofit organizations (also referred to as subrecipients) from the DOE grants it receives. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. The Department is specifically required to file FFATA reports through the FFATA Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department is required to file a FFATA report in the following circumstances: ? If the initial award is equal to or more than $30,000; ? If subsequent grant modifications result in a total award are equal to or more than $30,000; ? If the initial award is equal to or more than $30,000 but funding is subsequently de-obligated such that the total award amount falls below $30,000. The Department?s required FFATA reports for Fiscal Year 2022 included information on Title I Grants to Local Education Agencies [ALN 84.010] and COVID-19 Education Stabilization Fund (ESF) [84.425], specifically Elementary and Secondary School Emergency Relief (ESSER) Fund [84.425D] and American Rescue Plan - Elementary and Secondary School Emergency Relief (ARP ESSER) [84.425U]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for both programs in excess of $30,000. The Department is required to report the subaward information in FSRS no later than the end of the month following the month in which the award was made. According to the Department, during Fiscal Year 2022, it was required to submit and revise 180 and 450 FFATA reports for the Title I and ESF programs, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls over FFATA reporting during Fiscal Year 2022 and whether the information in the Department?s submitted FFATA reports was accurate and submitted in a timely manner. We requested a list of all Title I and ESF subawards made by the Department during Fiscal Year 2022. We then selected a sample of 18 Title I and 29 ESF subawards and requested copies of the FFATA reports that were uploaded to the FSRS system by the Department. The full FFATA reports are only accessible by the Department and are not fully viewable on FSRS. Once the Department provided copies of the uploaded reports, we then reviewed the FFATA reports within FSRS for each subaward selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of federal grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. The FFATA reports are required to include the following key data elements: ? Subrecipient name ? Subrecipient DUNS number ? Amount of subaward ? Subaward obligation/action date ? Date of report submission ? Subaward number ? Subaward project description ? Subrecipient names and compensation of highly compensated officers Transparency Act reporting requirements outlined on the FSRS website prescribe certain information that must be reported for these subawards, including the name of the entity receiving the award, the award amount, funding agency, and unique identifier of the entity. Federal regulations [2 CFR 200.303] require the non-Federal entity, in this instance the Department, to establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. What problems did the audit work identify? Based on our audit testwork, for the sample we tested, we determined that the Department was late in reporting all 18 of 18 Title I subawards in FSRS, by an average of 3 to 4 months, and failed to report 1 of 29 ESF subawards by the time of our audit, which represented a delay of approximately 16 months; and was late in reporting 2 of 29 ESF subawards by approximately 7 and 10 months, respectively. Collectively, these subawards totaled about $30 million for Fiscal Year 2022. The following tables summarize the results of our testing and group each exception within the following categories: Subaward Not Reported and Report Not Timely. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department reported that an influx in pandemic funding resulted in the Department experiencing a 233 percent volume increase in funding distributions and to more than 5,000 submissions and resubmissions in its required Fiscal Year 2022 FFATA reporting for all federal programs managed by the Department?s grant fiscal team. The Department indicated that its grant fiscal team also experienced staff turnover and vacancies during the year and the Department did not adequately reassign resources to ensure FFATA reporting requirements were identified and that reports were submitted on time. Initially, only one FTE was dedicated to FFATA reporting. During the year, the Department allocated a portion of the FFATA workload to another existing FTE and added an additional FTE in May 2022 to work on reconciling FFATA submissions; as a result, Department staff identified the two submissions previously missed, but the reallocations and reconciliations were not made in time to ensure the Department met all of its required FFATA report submission timelines. In addition, Department staff indicated that they made a conscious decision to not report the Title I subawards until May 2022?even though the initial subawards were finalized in January 2022?because the Department had historically received multiple funding allocations in addition to the initial allocation that required FFATA reporting for each allocation for up to 178 subawardees. However, the Department did not communicate with the federal awarding agency to determine whether waiting until it received all related allocations to submit its FFATA reports was appropriate. During the majority of Fiscal Year 2022, the Department also did not have a control, such as a reconciliation, to help identify subawards that went unreported during the fiscal year. Why do these problems matter? By failing to properly report FFATA subawards through FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, the Department fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-042 The Department of Education (Department) should strengthen its internal controls over, and ensure it complies with requirements under, the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Improving the Department?s process for determining the timing of reporting within the FFATA Subaward Reporting System. This process should include appropriately allocating staff resources for reporting responsibilities, and considerations such as expected future award allocations and communications with the federal awarding agency when it is determined to not be feasible to report information in a timely manner. B. Continuing to develop and implement reconciliation procedures to identify subawards that went unreported during the fiscal year. Response Department of Education A. Agree Implementation Date: December 31, 2022 We agree with this recommendation. In recent years, the Federal Government had multiple continuing resolutions in their budget process, resulting in CDE?s Title I allocations coming in multiple iterations. For the last several years, CDE has received revised allocations from the US Department of Education for the fiscal year as late as early summer; in one example, we received six revisions. With staffing shortages and the administrative burden to continuously revise, research issues and update FFATA for each allocation change, CDE took the step to report only the final allocation to FFATA, which was reported as of the month the awardee was awarded. However, the report was submitted later in the fiscal year. CDE will take a two-fold approach to rectify the issue related to the required FFATA reporting for Title I. First, we will report to FSRS the initial awards within 30 days following the date the awardee was provided final approval on their award. This is consistent with CDE?s approach to all other federal awards. Second, we will monitor the continuing resolutions and changes in allocations, and report only the net changes to each awardee, in the month those changes occur from the US Department of Education. Thereby, FSRS will represent the total revised award. In addition to this approach, all Title I awards will continue to be a part of our regular FFATA reconciliation process. B. Agree Implementation Date: December 31, 2022 We agree with this recommendation. CDE identified its own failure to report two ESSER subawards to FFATA within 30 days as part of the successful development and implementation of a FFATA-specific reconciliation process in Summer 2022. CDE will continue to refine and improve its FFATA reconciliation process.
Finding 2022-042 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In order to obtain this information, the federal government requires grant recipients to provide information to it. For example, the federal Department of Education (DOE) requires the Department to report information about subgrants, or subawards, it gives to other governments or to nonprofit organizations (also referred to as subrecipients) from the DOE grants it receives. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. The Department is specifically required to file FFATA reports through the FFATA Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department is required to file a FFATA report in the following circumstances: ? If the initial award is equal to or more than $30,000; ? If subsequent grant modifications result in a total award are equal to or more than $30,000; ? If the initial award is equal to or more than $30,000 but funding is subsequently de-obligated such that the total award amount falls below $30,000. The Department?s required FFATA reports for Fiscal Year 2022 included information on Title I Grants to Local Education Agencies [ALN 84.010] and COVID-19 Education Stabilization Fund (ESF) [84.425], specifically Elementary and Secondary School Emergency Relief (ESSER) Fund [84.425D] and American Rescue Plan - Elementary and Secondary School Emergency Relief (ARP ESSER) [84.425U]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for both programs in excess of $30,000. The Department is required to report the subaward information in FSRS no later than the end of the month following the month in which the award was made. According to the Department, during Fiscal Year 2022, it was required to submit and revise 180 and 450 FFATA reports for the Title I and ESF programs, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls over FFATA reporting during Fiscal Year 2022 and whether the information in the Department?s submitted FFATA reports was accurate and submitted in a timely manner. We requested a list of all Title I and ESF subawards made by the Department during Fiscal Year 2022. We then selected a sample of 18 Title I and 29 ESF subawards and requested copies of the FFATA reports that were uploaded to the FSRS system by the Department. The full FFATA reports are only accessible by the Department and are not fully viewable on FSRS. Once the Department provided copies of the uploaded reports, we then reviewed the FFATA reports within FSRS for each subaward selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of federal grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. The FFATA reports are required to include the following key data elements: ? Subrecipient name ? Subrecipient DUNS number ? Amount of subaward ? Subaward obligation/action date ? Date of report submission ? Subaward number ? Subaward project description ? Subrecipient names and compensation of highly compensated officers Transparency Act reporting requirements outlined on the FSRS website prescribe certain information that must be reported for these subawards, including the name of the entity receiving the award, the award amount, funding agency, and unique identifier of the entity. Federal regulations [2 CFR 200.303] require the non-Federal entity, in this instance the Department, to establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. What problems did the audit work identify? Based on our audit testwork, for the sample we tested, we determined that the Department was late in reporting all 18 of 18 Title I subawards in FSRS, by an average of 3 to 4 months, and failed to report 1 of 29 ESF subawards by the time of our audit, which represented a delay of approximately 16 months; and was late in reporting 2 of 29 ESF subawards by approximately 7 and 10 months, respectively. Collectively, these subawards totaled about $30 million for Fiscal Year 2022. The following tables summarize the results of our testing and group each exception within the following categories: Subaward Not Reported and Report Not Timely. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department reported that an influx in pandemic funding resulted in the Department experiencing a 233 percent volume increase in funding distributions and to more than 5,000 submissions and resubmissions in its required Fiscal Year 2022 FFATA reporting for all federal programs managed by the Department?s grant fiscal team. The Department indicated that its grant fiscal team also experienced staff turnover and vacancies during the year and the Department did not adequately reassign resources to ensure FFATA reporting requirements were identified and that reports were submitted on time. Initially, only one FTE was dedicated to FFATA reporting. During the year, the Department allocated a portion of the FFATA workload to another existing FTE and added an additional FTE in May 2022 to work on reconciling FFATA submissions; as a result, Department staff identified the two submissions previously missed, but the reallocations and reconciliations were not made in time to ensure the Department met all of its required FFATA report submission timelines. In addition, Department staff indicated that they made a conscious decision to not report the Title I subawards until May 2022?even though the initial subawards were finalized in January 2022?because the Department had historically received multiple funding allocations in addition to the initial allocation that required FFATA reporting for each allocation for up to 178 subawardees. However, the Department did not communicate with the federal awarding agency to determine whether waiting until it received all related allocations to submit its FFATA reports was appropriate. During the majority of Fiscal Year 2022, the Department also did not have a control, such as a reconciliation, to help identify subawards that went unreported during the fiscal year. Why do these problems matter? By failing to properly report FFATA subawards through FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, the Department fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-042 The Department of Education (Department) should strengthen its internal controls over, and ensure it complies with requirements under, the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Improving the Department?s process for determining the timing of reporting within the FFATA Subaward Reporting System. This process should include appropriately allocating staff resources for reporting responsibilities, and considerations such as expected future award allocations and communications with the federal awarding agency when it is determined to not be feasible to report information in a timely manner. B. Continuing to develop and implement reconciliation procedures to identify subawards that went unreported during the fiscal year. Response Department of Education A. Agree Implementation Date: December 31, 2022 We agree with this recommendation. In recent years, the Federal Government had multiple continuing resolutions in their budget process, resulting in CDE?s Title I allocations coming in multiple iterations. For the last several years, CDE has received revised allocations from the US Department of Education for the fiscal year as late as early summer; in one example, we received six revisions. With staffing shortages and the administrative burden to continuously revise, research issues and update FFATA for each allocation change, CDE took the step to report only the final allocation to FFATA, which was reported as of the month the awardee was awarded. However, the report was submitted later in the fiscal year. CDE will take a two-fold approach to rectify the issue related to the required FFATA reporting for Title I. First, we will report to FSRS the initial awards within 30 days following the date the awardee was provided final approval on their award. This is consistent with CDE?s approach to all other federal awards. Second, we will monitor the continuing resolutions and changes in allocations, and report only the net changes to each awardee, in the month those changes occur from the US Department of Education. Thereby, FSRS will represent the total revised award. In addition to this approach, all Title I awards will continue to be a part of our regular FFATA reconciliation process. B. Agree Implementation Date: December 31, 2022 We agree with this recommendation. CDE identified its own failure to report two ESSER subawards to FFATA within 30 days as part of the successful development and implementation of a FFATA-specific reconciliation process in Summer 2022. CDE will continue to refine and improve its FFATA reconciliation process.
Finding 2022-042 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In order to obtain this information, the federal government requires grant recipients to provide information to it. For example, the federal Department of Education (DOE) requires the Department to report information about subgrants, or subawards, it gives to other governments or to nonprofit organizations (also referred to as subrecipients) from the DOE grants it receives. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. The Department is specifically required to file FFATA reports through the FFATA Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department is required to file a FFATA report in the following circumstances: ? If the initial award is equal to or more than $30,000; ? If subsequent grant modifications result in a total award are equal to or more than $30,000; ? If the initial award is equal to or more than $30,000 but funding is subsequently de-obligated such that the total award amount falls below $30,000. The Department?s required FFATA reports for Fiscal Year 2022 included information on Title I Grants to Local Education Agencies [ALN 84.010] and COVID-19 Education Stabilization Fund (ESF) [84.425], specifically Elementary and Secondary School Emergency Relief (ESSER) Fund [84.425D] and American Rescue Plan - Elementary and Secondary School Emergency Relief (ARP ESSER) [84.425U]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for both programs in excess of $30,000. The Department is required to report the subaward information in FSRS no later than the end of the month following the month in which the award was made. According to the Department, during Fiscal Year 2022, it was required to submit and revise 180 and 450 FFATA reports for the Title I and ESF programs, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls over FFATA reporting during Fiscal Year 2022 and whether the information in the Department?s submitted FFATA reports was accurate and submitted in a timely manner. We requested a list of all Title I and ESF subawards made by the Department during Fiscal Year 2022. We then selected a sample of 18 Title I and 29 ESF subawards and requested copies of the FFATA reports that were uploaded to the FSRS system by the Department. The full FFATA reports are only accessible by the Department and are not fully viewable on FSRS. Once the Department provided copies of the uploaded reports, we then reviewed the FFATA reports within FSRS for each subaward selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of federal grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. The FFATA reports are required to include the following key data elements: ? Subrecipient name ? Subrecipient DUNS number ? Amount of subaward ? Subaward obligation/action date ? Date of report submission ? Subaward number ? Subaward project description ? Subrecipient names and compensation of highly compensated officers Transparency Act reporting requirements outlined on the FSRS website prescribe certain information that must be reported for these subawards, including the name of the entity receiving the award, the award amount, funding agency, and unique identifier of the entity. Federal regulations [2 CFR 200.303] require the non-Federal entity, in this instance the Department, to establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. What problems did the audit work identify? Based on our audit testwork, for the sample we tested, we determined that the Department was late in reporting all 18 of 18 Title I subawards in FSRS, by an average of 3 to 4 months, and failed to report 1 of 29 ESF subawards by the time of our audit, which represented a delay of approximately 16 months; and was late in reporting 2 of 29 ESF subawards by approximately 7 and 10 months, respectively. Collectively, these subawards totaled about $30 million for Fiscal Year 2022. The following tables summarize the results of our testing and group each exception within the following categories: Subaward Not Reported and Report Not Timely. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department reported that an influx in pandemic funding resulted in the Department experiencing a 233 percent volume increase in funding distributions and to more than 5,000 submissions and resubmissions in its required Fiscal Year 2022 FFATA reporting for all federal programs managed by the Department?s grant fiscal team. The Department indicated that its grant fiscal team also experienced staff turnover and vacancies during the year and the Department did not adequately reassign resources to ensure FFATA reporting requirements were identified and that reports were submitted on time. Initially, only one FTE was dedicated to FFATA reporting. During the year, the Department allocated a portion of the FFATA workload to another existing FTE and added an additional FTE in May 2022 to work on reconciling FFATA submissions; as a result, Department staff identified the two submissions previously missed, but the reallocations and reconciliations were not made in time to ensure the Department met all of its required FFATA report submission timelines. In addition, Department staff indicated that they made a conscious decision to not report the Title I subawards until May 2022?even though the initial subawards were finalized in January 2022?because the Department had historically received multiple funding allocations in addition to the initial allocation that required FFATA reporting for each allocation for up to 178 subawardees. However, the Department did not communicate with the federal awarding agency to determine whether waiting until it received all related allocations to submit its FFATA reports was appropriate. During the majority of Fiscal Year 2022, the Department also did not have a control, such as a reconciliation, to help identify subawards that went unreported during the fiscal year. Why do these problems matter? By failing to properly report FFATA subawards through FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, the Department fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-042 The Department of Education (Department) should strengthen its internal controls over, and ensure it complies with requirements under, the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Improving the Department?s process for determining the timing of reporting within the FFATA Subaward Reporting System. This process should include appropriately allocating staff resources for reporting responsibilities, and considerations such as expected future award allocations and communications with the federal awarding agency when it is determined to not be feasible to report information in a timely manner. B. Continuing to develop and implement reconciliation procedures to identify subawards that went unreported during the fiscal year. Response Department of Education A. Agree Implementation Date: December 31, 2022 We agree with this recommendation. In recent years, the Federal Government had multiple continuing resolutions in their budget process, resulting in CDE?s Title I allocations coming in multiple iterations. For the last several years, CDE has received revised allocations from the US Department of Education for the fiscal year as late as early summer; in one example, we received six revisions. With staffing shortages and the administrative burden to continuously revise, research issues and update FFATA for each allocation change, CDE took the step to report only the final allocation to FFATA, which was reported as of the month the awardee was awarded. However, the report was submitted later in the fiscal year. CDE will take a two-fold approach to rectify the issue related to the required FFATA reporting for Title I. First, we will report to FSRS the initial awards within 30 days following the date the awardee was provided final approval on their award. This is consistent with CDE?s approach to all other federal awards. Second, we will monitor the continuing resolutions and changes in allocations, and report only the net changes to each awardee, in the month those changes occur from the US Department of Education. Thereby, FSRS will represent the total revised award. In addition to this approach, all Title I awards will continue to be a part of our regular FFATA reconciliation process. B. Agree Implementation Date: December 31, 2022 We agree with this recommendation. CDE identified its own failure to report two ESSER subawards to FFATA within 30 days as part of the successful development and implementation of a FFATA-specific reconciliation process in Summer 2022. CDE will continue to refine and improve its FFATA reconciliation process.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.
Finding 2022-077 Cash Management The Department operates on a reimbursement basis with the federal government for a portion of its federal grant programs, expending state dollars for the federal programs prior to requesting reimbursement for the appropriate federal share. The reimbursement process is governed by the Cash Management Improvement Act of 1990 (CMIA) and 31 CFR Part 205 Part B, Rules and Procedures for Efficient Federal-State Funds Transfers (Transfer Rules), which prescribe specific methods and timeframes for drawing down federal funds. The purpose of CMIA and the Transfer Rules is to minimize the time period from when the State makes an expenditure for a federal program and when the federal reimbursement is received, so that neither the State nor the federal government incurs a loss of interest on the funds. This timeframe for requesting reimbursement is referred to as the ?draw pattern.? Under CMIA, the State must enter into a formal agreement, referred to as the ?Treasury-State Agreement,? (Agreement) with the U.S. Department of the Treasury to establish reimbursement schedules for selected federal programs that have been awarded to the State. In Colorado, the Department of Treasury (Treasury), on behalf of all departments in the State, enters into the Agreement with the U.S. Department of the Treasury. For Fiscal Year 2022, Colorado?s CMIA Agreement included 10 programs administered by various state agencies. The Department has one federal program that is included in the Agreement. Specifically, the Department?s Highway Planning and Construction [ALN 20.205] is included in this Agreement. During Fiscal Year 2022, the Department expended $510.0 million in Highway Planning and Construction funds. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over its cash draw process and to determine whether the Department was in compliance with CMIA for the Highway Planning and Construction program during Fiscal Year 2022. As part of our audit, we tested the Department?s internal controls and compliance over its cash management process for the Highway Planning and Construction program. We tested a sample of 25 expenditures and the related draws the Department made for the program during Fiscal Year 2022 and calculated the number of days between each sampled expenditure and related federal draw and compared our results to the CMIA requirements in place at the time the draw occurred. Within our sample, draws for nine of the expenditures were performed prior to October 13, when the 4-day draw pattern was in place; draws for 16 expenditures were performed after October 13 on the 5-day pattern. How were the results of the audit work measured? Under CMIA rules, draw patterns should be interest-neutral between the State?s expenditure and receipt of federal funds. We compared the results of our testwork against the regulations within the CMIA for payments clearing the State?s bank that should result in the receipt of the federal reimbursements within specific timeframe as noted below: The Agreement in place at the beginning of Fiscal Year 2022 specified a 4-day draw pattern for Highway Planning and Construction. Therefore, the time between when the Department?s expenditure was made and when federal funds were received should have been 4 days. In October 2021, however, the Department requested the draw pattern be changed from 4 days to 5 days. This request was approved by the U.S. Department of the Treasury on October 13, 2021. What problem did the audit work identify? We determined that the Department did not comply with the approved cash management draw patterns contained in the Agreements for the Highway Planning and Construction program for Fiscal Year 2022. Overall, 8 of the 25 draws (32 percent) were not made in accordance with the applicable Agreement, as follows: ? We noted that 6 of the 16 draws (38 percent) were not performed on the 5-day approved draw pattern in place after October 13, 2021 and instead, were performed on a 4-day draw pattern. ? We also noted that 2 of the 9 draws (22 percent) sampled from the first Agreement were not completed in accordance with the 4-day approved draw pattern in place prior to October 13, 2021 and, instead, were performed on a 5-day draw pattern. Why did this problem occur? The Department did not have appropriate internal controls over its federal grant cash management process during Fiscal Year 2022. Specifically, the Department conducted an analysis on the draw pattern for Highway Planning and Construction in early Fiscal Year 2022 and determined that its draws were occurring within 5 rather than 4 days, so the Department requested and received approval from the U.S. Department of the Treasury to change from a 4 day draw pattern to a 5-day draw pattern; however, the Department did not properly communicate the change in the Agreement for the Highway Planning and Construction?s draw pattern to the primary individuals responsible for preparing and approving the draws. As a result, the billing procedure was not updated to reflect the change in draw pattern, which led to the draws being out of compliance with the approved CMIA draw pattern. Why does this problem matter? The timing of draws for requesting federal funds impacts the interest neutral requirements under the CMIA. By drawing funds early, the Department creates a risk that the State my ultimately owe interest charges to the federal government. Further, the Department?s lack of strong cash management internal controls may result in delays in the identification of expenditures for which reimbursement has not been requested and therefore, funds upon which the State has lost interest. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-077 The Department Transportation (Department) should strengthen its internal controls and processes over and ensure that it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by: A. Ensuring that Department personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern applicable for the current fiscal year, including any federally-approved changes that occur during the year. B. Establishing procedures that specify draw request dates in relation to Program expenditures that ensure required draw patterns are met. Response Colorado Department of Transportation A. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with the federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by ensuring personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern for the applicable fiscal year in which the draws occur including federally-approved changes during the year. Personnel responsible for the draw will review the approved draw letter from the State Treasury with a secondary verification on the Federal Site, www.fiscal.treasury.gov/cmia/resources-treasury-state-agreements.hmtl for the specified timeframe before conducting the draw. B. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by establishing and maintaining formal procedures that specify the draw request dates in relation to the program expenditures to ensure required draw patterns are met. The process to implement changes to the cash draw pattern will be added to the draw procedure by March 2023.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-072 MyUI+ and Connecting Colorado?Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate ?classified or limited use? report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance and Employment Service Cluster programs, and the Department relies on IT systems to aid with determining applicants? eligibility for the programs and to provide information necessary to meet federal reporting requirements. For these two programs, the associated systems are MyUI+ and Connecting Colorado. The Department is the business owner and works with the Governor?s Office of Information Technology (OIT) and two different external IT service providers. High level descriptions of the two systems are as follows: ? MyUI+ ? The Department?s system for UI eligibility determinations and calculation of UI payments to eligible recipients. According to Department staff, starting in Fiscal Year 2023, MyUI+ will also provide data necessary for federal reporting to the U.S. Department of Labor for the UI program that was previously generated by the Colorado Labor and Employment Accounting Resource system. ? Connecting Colorado ? The Department?s workforce case management, labor exchange, and federal reporting system that supports the Employment Service Cluster program. The system provides services for job seekers and businesses, as well as provides all required federal reporting to the U.S. Department of Labor, for the Employment Service Cluster programs. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security. Once policies and procedures have been formalized and communicated to staff responsible, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of our Fiscal Year 2022 audit work was to determine whether the Department, OIT, and the Department?s two external IT service providers for MyUI+ and Connecting Colorado had policies and procedures related to information security, designed and implemented for MyUI+ and Connecting Colorado. Our audit work was performed through interviews conducted of Department and OIT staff. What problems did the audit work identify and how were the results of the audit work measured? During Fiscal Year 2022, we identified information security problems with the MyUI+ and Connecting Colorado systems. We have grouped these problems first by those common to the two systems and then those unique to each system. MyUI+ and Connecting Colorado Common Problems ? Policies and procedures were lacking. Department management had not established its expectations through the development and implementation of formalized policies and procedures related to information security general controls for MyUI+ and Connecting Colorado. o Standards for Internal Control in the Federal Government (Green Book) published by the U.S. Government Accountability Office (GAO) states in Paragraph 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraph 11.06 and 11.07, Design Appropriate Types of Control Activities, states that management should design appropriate types of control activities in the entity?s information system, including information system general controls that facilitate the proper operation of the entity?s systems. o Colorado Information Security Policies (Security Policies or CISP) that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy and the General Responsibilities sections, specifically 8.3.1 and 8.3.2 for Business Owners or the Department, that all agencies, except for the institutions of higher education and the general assembly, as the business owner, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for its systems, as the business owner, and is responsible for following and adhering to all identified business owner requirements, as stated within the Security Policies. ? Vendor oversight was lacking. The Department had not ensured its IT service providers complied with Security Policies. o Security Policies state that IT service providers?defined as OIT and/or external service providers?must follow the Security Policy requirements, among certain other requirements, as communicated to the Department within the confidential finding. o Section C.iii. (Legal Authority ? Contractor Signatory, Information Technology Specific) of the Department?s contract with the Connecting Colorado IT service provider states: ??the contractor warrants that it will at all times comply with all Security Policies.? o Exhibit C, Section 1.C.vi. (Information Technology Provisions, Protection of System Data) of the Department?s contract with the MyUI+ IT service provider states: ??the contractor shall comply with all rules, policies, procedures, and standards issued by the Governor?s Office of Information Technology.? o The Green Book states in Paragraph OV4.01, Service Organizations, that management retains responsibility for the performance of processes assigned to service organizations. MyUI+ and Connecting Colorado Unique Problems We also found other problems with access management, unique to each MyUI+ and Connecting Colorado, that lacked compliance with Security Policies, OIT Cyber Policies, and the IRS?s, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies, November 2021 Revision, and were communicated through the confidential finding. Why did these problems occur? Overall, the Department did not have sufficient IT governance and information security internal controls in place, including policies and procedures, to ensure that Department staff and its IT service providers complied with various data security compliance requirements set forth by OIT and the IRS, as well as those internal control principles established within the Green Book?s internal control framework. We discuss other specific causes for the problems we identified below: MyUI+ and Connecting Colorado ? Policies and procedures were lacking (MyUI+). Department staff stated that they followed and complied with the October 2021 dated Security Policies for the entire fiscal year, as these were more stringent than the March 2022 dated Security Policies. However, the Department did not provide documentation of a formal adoption of the October 2021 dated Security Policies. Staff also stated it maintains informal procedures of how to perform certain access management processes, but no standard operating procedures were in place. ? Policies and procedures were lacking (Connecting Colorado). Department staff had released a program guidance letter that addressed data security and access, but staff acknowledged that these program guidance letters are a guide and not official policy statements. In addition, the program guidance letter provided by Department staff was directed to the workforce centers that are located across the state that provide employment services to eligible beneficiaries and, therefore, did not provide any data security or access policies and procedures for state staff. ? Vendor oversight was lacking. We determined the Department did not have a vendor management process in place to hold its IT service providers accountable for contract provisions that required the IT service providers to comply with Security Policies, as demonstrated by the noncompliance issues we identified. In addition, and based on the March 2022 Security Policies, the Department has not determined whether contract amendments may be necessary with its two external IT service providers. ? Other Access Management Non-Compliance: o Department staff indicated that in one instance of non-compliance identified, a more efficient process was to not comply with the requirement. o Department staff stated that the certain access management non-compliance area was set up as it was during the COVID-19 pandemic to help prevent backlogs and issues for users during that time and was not subsequently changed. o Department staff did not update its rules for Connecting Colorado account management non-compliance area to reflect Security Policy changes. Specifically, we noted that OIT introduced the specific account management requirements in its Security Policies in February 2015, and those requirements remained constant through the March 2022 version; however, Department staff did not have a process in place to ensure periodic reviews of OIT?s Security Policies occurred and Department rules for the workforce centers appropriately aligned with any Security Policy changes. In addition, Department staff did not have a process in place to ensure its external IT service providers were complying with contract provisions to comply with Security Policy requirements. o Department staff stated they have not found cause to mandate IT service provider actions that are deemed privately owned business methodologies. However, and as noted above, the Department?s contract states that the external IT service provider must comply with OIT?s Security Policies that require specific security safeguards to be implemented by all IT service providers, including the Connecting Colorado external IT service provider. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable to management?s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. In turn, without policies and procedures, staff may not perform processes and controls in a consistent manner. In addition, without holding vendors accountable and ensuring that strong security measures are designed, implemented, and operating effectively, the risk of unauthorized access increases and ultimately impacts data reliability of the data stored and processed within MyUI+ and Connecting Colorado. Lastly, without having a strong internal control framework in place, management cannot ensure that state and federal funds are being used appropriately, which may impact the Department?s compliance with federal grant requirements and/or the accuracy of the Department?s federal and financial reporting. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-072 The Department of Labor and Employment (Department) should improve its overall Information Technology (IT) governance and information security IT general controls, and work with its IT service providers, as applicable, for the MyUI+ and Connecting Colorado information systems by: A. Formalizing and communicating to Department staff and the Department?s IT service providers? IT policies that comply with the Business Owner requirements listed within the Governor?s Office of Information Technology?s (OIT) March 2022 Colorado Information Security Policies (Security Policies). As an option, the Department could formally adopt the October 2021 Security Policies, identify any gaps between the October 2021 and March 2022 versions, and then formalize and communicate policies that address the identified gaps. B. Formalizing and communicating IT procedures to provide guidance to Department staff and the Department?s IT service providers performing IT general control activities that further address the IT policies formalized in recommendation Part A. The formalization and communication should include an organizationally defined, periodic review process of OIT?s Security Policies to ensure the Department?s IT policies, procedures, and rules are updated accordingly to align with the most current version of the Security Policies. C. Formalizing a vendor management process that ensures the Department?s IT service providers are held accountable to contract provisions requiring compliance with Colorado Information Security Policies and IT policies and procedures formalized in recommendation Parts A and B. This should include a review of the Department?s current external IT service providers? contracts and a determination of whether amendments to those contracts are necessary, based on the formalization of recommendation Parts A and B. D. Implementing recommendation Part D as noted in the confidential finding. E. Implementing recommendation Part E as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. B. Agree Implementation Date: July 2023 The Department will formalize IT security policies and procedures to comply with the Business Owner requirements contained within the Governor's Office of Information Technology's (OIT) March 2022, Colorado Information Security Policies. The Department will further formalize a procedure for product owners to annually review the OIT Colorado Information Security Policies and ensure alignment with the formalized Department IT policies and update any affected formalized IT procedures. The Department will communicate the formalized policies and procedures to Department staff and IT Service Providers, and then any future changes, as deemed necessary. C. Agree Implementation Date: December 2023 CDLE agrees with the recommendation and as part of A and B recommendations of this document, the Department will include a requirement from vendors to affirm they have reviewed and will comply with OIT security policies for all new contracts. Furthermore, as the Department becomes aware of changes to OIT Security Policies through its annual review process, these will be communicated to the vendors, and they will be required to reaffirm their compliance with any applicable changes. We will work with our current vendors for MyUI+ and Connecting Colorado to address the compliance issues noted in the audit and ensure they are compliant with OIT Security Policies and IT policies developed in part A and B of this recommendation. If non-compliance is determined to be unavoidable, the Department will file for a security exception with OIT. D. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part D as noted in the confidential finding. E. Agree Implementation Date: June 2023 CDLE agrees with the recommendation and will implement recommendation Part E as noted in the confidential finding.
Finding 2022-071 Federal Funding Accountability and Transparency Act The Department is responsible for administering two programs as part of the Employment Service Cluster: Employment Service/Wagner Peyser Funded Activities (Wagner) [ALN 17.207], and Jobs for Veterans State Grant (JSVG) [ALN 17.801]. The main overall purpose of these programs is to improve the functioning of the nation's labor markets by bringing together individuals who are seeking employment and employers who are seeking workers. The Wagner program provides a variety of services to job seekers, including career services and job search assistances; in addition, employers can access the program to post job orders and obtain qualified applicants. The JSVG provides federal funding through a formula grant to State Workforce Agencies (SWAs), including the Department, to hire dedicated staff to provide individualized career and training-related service to veterans and eligible individuals with significant barriers to employment, and to assist employers in filling their workforce needs with job-seeking veterans. The Department administers the programs and also passes Employment Service Cluster funds through to Colorado counties so they can help provide these services to individuals. The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for both programs within the Employment Service Cluster. The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. In accordance with the Transparency Act, the Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? In Fiscal Year 2022, the Department made 11 subawards to 10 Colorado counties (subrecipients) for the Employment Service Cluster, $11.2 million in subawards to 10 counties for Wagner, and $45,116 in subawards to one county for JVSG, totaling $11.3 million. The Department is required to submit FFATA information through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Employment Service Cluster programs during Fiscal Year 2022. As part of our audit work, we requested the Department?s policies and procedures over FFATA reporting, the FFATA reports submitted by the Department in Fiscal Year 2022, and a list of all subawards made by the Department during Fiscal Year 2022. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170.330.l(a)], the Department is required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to FSRS in May 2022 if an award or supplemental award equal to or greater than $30,000 was made in April 2022. What problem did the audit work identify? Based on our audit work, we determined that the Department did not comply with FFATA reporting requirements for the Employment Cluster and did not report any subawards in FSRS for Fiscal Year 2022. Specifically, we determined that the Department did not report $11.21 million in subawards to 10 subrecipients (the counties) for Wagner, and $45,116 in subawards to one county for JVSG. The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did this problem occur? The Department was not aware of the FFATA reporting requirement because it did not review the federal grant agreements to determine that the requirement was applicable for the program. Why does this problem matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, it fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-071 The Department of Labor and Employment should implement appropriate internal controls and related processes, such as detailed reviews of federal grant agreements, over the Employment Service Cluster to ensure that it is aware of, and in compliance with all federal reporting requirements, including requirements under the Federal Funding Accountability and Transparency Act of 2006. Response Department of Labor and Employment Agree Implementation Date: February 2023 By the implementation date, the Department of Labor and Employment (CDLE) will complete a review of grant agreements for reporting requirements, including the Federal Funding Accountability and Transparency Act of 2006. By the implementation date, the CDLE will develop and implement appropriate controls and processes to come into compliance with the reporting requirements and submit FFATA reports for the 10 entities identified in the audit.
Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.
Finding 2022-077 Cash Management The Department operates on a reimbursement basis with the federal government for a portion of its federal grant programs, expending state dollars for the federal programs prior to requesting reimbursement for the appropriate federal share. The reimbursement process is governed by the Cash Management Improvement Act of 1990 (CMIA) and 31 CFR Part 205 Part B, Rules and Procedures for Efficient Federal-State Funds Transfers (Transfer Rules), which prescribe specific methods and timeframes for drawing down federal funds. The purpose of CMIA and the Transfer Rules is to minimize the time period from when the State makes an expenditure for a federal program and when the federal reimbursement is received, so that neither the State nor the federal government incurs a loss of interest on the funds. This timeframe for requesting reimbursement is referred to as the ?draw pattern.? Under CMIA, the State must enter into a formal agreement, referred to as the ?Treasury-State Agreement,? (Agreement) with the U.S. Department of the Treasury to establish reimbursement schedules for selected federal programs that have been awarded to the State. In Colorado, the Department of Treasury (Treasury), on behalf of all departments in the State, enters into the Agreement with the U.S. Department of the Treasury. For Fiscal Year 2022, Colorado?s CMIA Agreement included 10 programs administered by various state agencies. The Department has one federal program that is included in the Agreement. Specifically, the Department?s Highway Planning and Construction [ALN 20.205] is included in this Agreement. During Fiscal Year 2022, the Department expended $510.0 million in Highway Planning and Construction funds. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over its cash draw process and to determine whether the Department was in compliance with CMIA for the Highway Planning and Construction program during Fiscal Year 2022. As part of our audit, we tested the Department?s internal controls and compliance over its cash management process for the Highway Planning and Construction program. We tested a sample of 25 expenditures and the related draws the Department made for the program during Fiscal Year 2022 and calculated the number of days between each sampled expenditure and related federal draw and compared our results to the CMIA requirements in place at the time the draw occurred. Within our sample, draws for nine of the expenditures were performed prior to October 13, when the 4-day draw pattern was in place; draws for 16 expenditures were performed after October 13 on the 5-day pattern. How were the results of the audit work measured? Under CMIA rules, draw patterns should be interest-neutral between the State?s expenditure and receipt of federal funds. We compared the results of our testwork against the regulations within the CMIA for payments clearing the State?s bank that should result in the receipt of the federal reimbursements within specific timeframe as noted below: The Agreement in place at the beginning of Fiscal Year 2022 specified a 4-day draw pattern for Highway Planning and Construction. Therefore, the time between when the Department?s expenditure was made and when federal funds were received should have been 4 days. In October 2021, however, the Department requested the draw pattern be changed from 4 days to 5 days. This request was approved by the U.S. Department of the Treasury on October 13, 2021. What problem did the audit work identify? We determined that the Department did not comply with the approved cash management draw patterns contained in the Agreements for the Highway Planning and Construction program for Fiscal Year 2022. Overall, 8 of the 25 draws (32 percent) were not made in accordance with the applicable Agreement, as follows: ? We noted that 6 of the 16 draws (38 percent) were not performed on the 5-day approved draw pattern in place after October 13, 2021 and instead, were performed on a 4-day draw pattern. ? We also noted that 2 of the 9 draws (22 percent) sampled from the first Agreement were not completed in accordance with the 4-day approved draw pattern in place prior to October 13, 2021 and, instead, were performed on a 5-day draw pattern. Why did this problem occur? The Department did not have appropriate internal controls over its federal grant cash management process during Fiscal Year 2022. Specifically, the Department conducted an analysis on the draw pattern for Highway Planning and Construction in early Fiscal Year 2022 and determined that its draws were occurring within 5 rather than 4 days, so the Department requested and received approval from the U.S. Department of the Treasury to change from a 4 day draw pattern to a 5-day draw pattern; however, the Department did not properly communicate the change in the Agreement for the Highway Planning and Construction?s draw pattern to the primary individuals responsible for preparing and approving the draws. As a result, the billing procedure was not updated to reflect the change in draw pattern, which led to the draws being out of compliance with the approved CMIA draw pattern. Why does this problem matter? The timing of draws for requesting federal funds impacts the interest neutral requirements under the CMIA. By drawing funds early, the Department creates a risk that the State my ultimately owe interest charges to the federal government. Further, the Department?s lack of strong cash management internal controls may result in delays in the identification of expenditures for which reimbursement has not been requested and therefore, funds upon which the State has lost interest. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-077 The Department Transportation (Department) should strengthen its internal controls and processes over and ensure that it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by: A. Ensuring that Department personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern applicable for the current fiscal year, including any federally-approved changes that occur during the year. B. Establishing procedures that specify draw request dates in relation to Program expenditures that ensure required draw patterns are met. Response Colorado Department of Transportation A. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with the federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by ensuring personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern for the applicable fiscal year in which the draws occur including federally-approved changes during the year. Personnel responsible for the draw will review the approved draw letter from the State Treasury with a secondary verification on the Federal Site, www.fiscal.treasury.gov/cmia/resources-treasury-state-agreements.hmtl for the specified timeframe before conducting the draw. B. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by establishing and maintaining formal procedures that specify the draw request dates in relation to the program expenditures to ensure required draw patterns are met. The process to implement changes to the cash draw pattern will be added to the draw procedure by March 2023.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-065 Research and Development Cluster Equipment Management Compliance The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D activities conducted under these awards vary greatly. The objective of an individual project is explained in the federal award document. R&D activities at the University are subject to federal equipment management requirements. In accordance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 201.1 Definitions, equipment is defined as tangible personal property (including information technology systems) having a useful life of more than one year and a per-unit acquisition cost which equals or exceeds the lesser of the capitalization level established by the non-Federal entity for financial statement purposes, or $5,000. The University uses equipment to meet the objective of its various research projects and this equipment may be common items such as a microscope or very complex scientific equipment, Under federal regulations, the University is required, for any equipment purchased under a federal contract, to maintain and track the equipment as to its location. The University must have an internal control structure in place in order to protect and safeguard the equipment and the University should be able to provide evidence that the equipment is safeguarded and maintained and show the location of all equipment. The Campus Controller?s Property Accounting Office (PAO) within the Boulder campus is responsible for equipment and property management. The PAO sends its full equipment listing quarterly to a portion of its individual departments with equipment, in a frequency to cover all departments within a two-year period. The individual departments are required to review the equipment listing, add any new equipment to the listing, and remove any equipment from the listing that has been disposed of or is no longer in service. Once the departments return the listings to the PAO, the PAO selects a sample to verify the information provided by the departments. The PAO selects the sample and the PAO Property Accountant then verifies the equipment?s existence by performing a site visit to the department and observing the equipment. The PAO selects a new sample each quarter. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million and $6 million from the Boulder, Denver and UCCS campuses, respectively. Of that amount, the University?s three campuses expended a total of approximately $191 million for equipment purchases, with $116 million, $69.6 million, and $5.4 million being spent by the Boulder, Denver, and UCCS campuses, respectively. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D Cluster?s equipment management requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls related to the R&D equipment management requirements. We tested 60 items of equipment with a total value of $1.2 million to determine whether the University appropriately safeguarded and maintained equipment, as required by federal regulations. In addition, we tested 40 of the 60 items of equipment with a total value of $840,000 to determine whether the University?s campuses appropriately placed property tags on the equipment as required by University policy. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.313(b) states that a State must use, manage and dispose of equipment acquired under a federal award to the State in accordance with the state laws and procedures. The University?s Property Control Manual section 1.3 states that the University is responsible and accountable for all property acquired with federal funding in accordance with federal regulations and the provision of a sponsored award. While under the heading of ?non-federal entities other than States,? federal regulation 2 CFR 200.313(c) through (e) also requires that equipment records be maintained, a physical inventory of equipment be taken at least once every two years and reconciled to the equipment record, an appropriate control system be used to safeguard equipment and all equipment shall be adequately maintained. ? The University?s Property Control Manual Section 3.3.1 states that ?only items having an acquisition cost of $5,000 or more are logged and tracked in the university property record.? Furthermore, the University?s Property Control Manual Section 3.3.3, states that equipment records should be updated for any changes discovered during the performance of an inventory over equipment. This would include equipment that should be removed from the listing because it was disposed of or is no longer in service. ? The University?s Property Control Manual section 3.2 states that ?All Government property at $5,000 or above in the custody of the Boulder campus must be tagged.? What problems did the audit work identify? We found that 2 of the 60 equipment items that we tested (3 percent,) with a total value of $39,400, were inappropriately included on the equipment listing even though they had either been disposed of in a prior period or were not in service. Specifically, one equipment item with an approximate value of $28,000 was no longer in service by the University, but still remained on the University?s inventory listing. The second equipment item with an approximate value of $8,400 was disposed of by the University on October 3, 2017, but was still on the list. In addition, we determined that 2 of the 40 equipment items we tested for tagging (5 percent) did not contain the tag as required by the University?s Property Control Manual. One of these items was valued at approximately $28,000. The second item was valued at approximately $31,000. Why did these problems occur? The University?s Boulder campus did not have adequate internal controls in place to ensure it complied with the R&D equipment management requirements. Specifically, although the University does have policies over equipment, Boulder campus staff were not adequately performing the procedures intrinsic in the policy. Specifically, neither the PAO nor the individual University departments adequately reconciled the equipment listing to the physical equipment on hand, which resulted in the list including equipment that had been disposed of or was no longer in use. Additionally, the Boulder Campus did not follow its own policies and procedures requiring that equipment with a value of $5,000 was appropriately tagged. One item?s tag was missing and a replacement tag had been ordered and not received at the time of our procedures. We could not determine whether the University identified that the tag was missing before we requested the information for review. The second item was below ground and the University did not maintain evidence of the original tag. Why do these problems matter? The University is obligated to adhere to specified requirements as outlined by federal regulations and the respective award agreement. By failing to adhere to the requirements for maintenance of equipment, the University potentially risks repercussions from the awarding agency. Furthermore, failing to properly maintain the equipment in accordance with federal and University requirements could increase the risk of theft or loss and decrease the ability of the University to adequately identify theft or loss. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-065 The University of Colorado?s Boulder campus should strengthen its internal controls over equipment management and ensure that it complies with the Research and Development equipment management federal compliance requirements by: A. Ensuring the Campus Controller?s Property Accounting Office and the individual departments adequately reconcile the equipment listing to the physical equipment on hand to ensure that the list is accurate, and remove equipment from the listing that has been disposed of or is no longer in use. B. Enforcing its current policies and procedures for ensuring all equipment is appropriately tagged and maintained. Response University of Colorado A. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment. B. Agree Implementation Date: March 2023 Management agrees with the recommendation. Procedures have been initiated with cross campus partners and will be fully implemented by March 2023. The proposed corrective action plan is as follows: ? Escalation procedures will be implemented in collaboration with campus partners so that action items identified in inventory reviews are addressed timely. ? The Campus Controller?s Office will work with campus partners to increase physical monitoring procedures to ensure tags are affixed and maintained on equipment.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-061 Internal Controls and Compliance Over Research and Development Cluster Period of Performance and Procurement The federal government sponsors Research and Development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal grantee entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award. R&D activities at the Colorado School of Mines are subject to federal period of performance and procurement requirements. Period of performance is the time in which the School may incur new obligations to carry out the work authorized by the federal award. Procurement is the process that the School follows to purchase goods and services. The School has established a process to review expenditures charged to federal awards during the federal award?s period of performance period to ensure that any costs incurred outside of the allowable timeframe are reversed out and not charged to the federal award. Per the Colorado School of Mines policies and procedures, the School pre-audits travel, equipment, personal disbursements, and participant support expenses prior to recording the transaction to ensure allowability of the expense. The School also post-audits salary, fringe benefits, tuition, and credit card expenses to ensure allowability. The School?s procurement process includes a policy that establishes levels of approval for purchase orders (PO) based on the dollar amount of the PO. Based on the dollar amount of the PO, the School will also attach the vendor contract to the PO. The School?s Controller?s Office sends the contracts with the attached PO to the assigned individual for signature and approval. During Fiscal Year 2022, the School expended approximately $65 million in federal R&D grant funds. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls in place over, and complied with, the Procurement and Period of Performance requirements within the R&D Cluster during Fiscal Year 2022. Period of Performance. We reviewed a random sample of 40 costs that were incurred prior to or within the first month of the grant start date to determine whether the School only charged the allowable cost to a federal award during the period of performance. Procurement. We reviewed a random sample of 16 procurement transactions that were over the micro-purchase threshold of $10,000 to determine whether School staff complied with the School?s internal procurement policy. All transactions over the micro-purchase threshold are subject to the procurement policy approval thresholds. We also compared the original PO issued against the School?s procurement policy to determine if the appropriate approval was obtained. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulations [2 CFR 200.303(a)] states that a non-federal entity should establish and maintain effective internal control over Federal awards that provide reasonable assurance that non-federal entities are managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As a part of maintaining internal controls, the School should maintain evidence of such controls occurring to show that the School Mines has internal controls in place as required by the Uniform Guidance and that it is evaluating and monitoring its compliance with Federal statutes, regulations, and the terms and conditions of Federal awards. ? Federal regulations [2 CFR 200.77 and 2 CFR 200.458] state that a non-Federal entity may only charge allowable costs to a federal award during the period of performance. According to the grant agreement, pre-award costs may be charged up to 90 days prior to the start date. Therefore, the pre-award cost period for the School?s R&D grant for Federal Fiscal Year 2022 began on October 19, 2021. ? Federal regulation [2 CFR 200.318] states that the School must document procurement procedures. The Schools procurement policy provides approval limits for purchase orders. According to this policy, certain individuals can approve POs up to $500,000, and others can approve POs up to $5 million. What problems did the audit work identify? During our Fiscal Year 2022 audit, we identified exceptions with period of performance and procurement requirements for the R&D grant. Specifically, we identified the following issues: Period of Performance. We found that the School incurred expenses prior to the period of performance start date related to 2 of the 40 disbursements (5 percent) tested. Specifically, School spent $2,593 between October 1, 2021 and October 16, 2021, or 3 to 18 days before the allowable period. Procurement. We found that the School did not obtain the appropriate approval for 1 of the 16 (6 percent) transactions tested. Specifically, the individual who signed the PO for $706,660 only had authority to sign PO?s up to a threshold of $ $500,000, which was $206,660 less than the amount of the PO. Why did these problems occur? The School did not have adequate internal controls over period of performance and procurement requirements for its R&D grant during Fiscal Year 2022. Specifically: Period of Performance. The School?s reviewer misunderstood the period of performance requirements related to the transaction and related federal award. Specifically, according to the School, the reviewer confused the period of performance start date of October 19, 2021 with the payroll period of October 1, 2021 through October 15, 2021, which was prior to the period of performance start date and resulted in the expenditures erroneously being charged to the grant. Procurement. We found that there was inconsistency with the Schools internal process and its published procurement policy regarding the approval process for POs. Specifically, the verbally approved internal process allowed the individual we noted as an exception to approve POs up to $2.5 million; however, this had not been updated in the published procurement policy. Why do these problems matter? By charging expenditures to federal awards outside of the period of performance, the School is not complying with the requirements of the federal awards. In addition, by not obtaining documented evidence of approval from the appropriate individuals, the School is not complying with its internal procurement procedures. This could result in procuring a service or product for an unreasonable amount and there is an increased risk of fictitious or fraudulent POs if the charge does not align with the Schools mission. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-061 The Colorado School of Mines should strengthen its internal controls over and ensure it complies with period of performance and procurement requirements for its Research and Development (R&D) grants by: A. Instituting an appropriate review of expenditures to ensure they are within the period of performance for the federal award, and ensuring that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Updating its published procurement policy to ensure it contains the current approval process and thresholds. Response Colorado School of Mines A. Agree Implementation Date: July 1, 2022 Colorado School of Mines will ensure appropriate reviews of expenditures occur to ensure they are within the period of performance for the federal award, and ensure that staff have an appropriate understanding of the related period of performance requirements or obtain clarification from the federal grantor, as appropriate. B. Agree Implementation Date: June 30, 2023 Mines did not update published Procurement Policies specific to approval limits by position to accurately reflect the delegated approval authority. Mines will update the published policies to accurately reflect delegated approval limits and review the procurement approval process.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-060 Misreporting of Federal Expenditures for the COVID-19 ?Pandemic EBT Food Benefits and Child Care and Development Block Grant on the Exhibit K1 Each year, the Department is required to prepare an exhibit containing the Department?s federal expenditures and related reimbursements to aid the Colorado Office of the State Controller (OSC) in the preparation of the State?s Schedule of Expenditures of Federal Awards (SEFA); this exhibit is referred to as the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 should include expenditures for grants received directly from the federal government and expended by the Department (direct expenditures), as well as expenditures for federal grants passed through by the Department to other State and/or non-State agencies (subrecipient expenditures). The SEFA is to be presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) to show the State?s expenditures of federal awards during the fiscal year. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Annually, the Department prepares its Exhibit K1 by following a process documented in its program accounting manual. First, program accountants review and analyze information from CORE for the federal Assistance Listing Number (ALN)?s related to the programs they support. The program accountants complete this review using a CORE report that the Department created, pulling transaction detail level data by ALN. Once the reviews and analysis are complete, the program accountants enter the information on the Department?s Exhibit K1 template for the correlating ALN. After the exhibit is prepared, the Department?s program accounting manual requires that it goes through two levels of review for accuracy. Once these reviews are completed, the Department submits the final Exhibit K1 to the OSC. The Department is also separately required within its approved State Plan for the COVID-19 ? Pandemic EBT Food Benefits program [ALN 10.542] (P-EBT) to report its P-EBT federal expenditures to the U.S. Department of Agriculture (USDA) via the Report of Disaster Food Stamp Benefit Issuance (FNS-292-B). The Department is also required to support the financial expenditures reported on the FNS-292-B report with source data and files, which includes a P-EBT Summary report that is exported from the Colorado Benefits Management System (CBMS) and includes the number of eligible children, number of eligible households, and total amount paid in P-EBT benefits. The P-EBT summary report is then reconciled by the Department to the County Financial Management System (CFMS), where the counties? issuance of P-EBT program benefits is accumulated and reported. For Fiscal Year 2021, the Department administered more than 70 federal programs and expended approximately $2.4 billion in federal funds. The P-EBT program and Child Care and Development Block Grant (Grant) [ALN 93.575] were two of these federal programs administered by the Department during Fiscal Year 2021. The Department reported more than $292 million in federal expenditures for the P-EBT program and approximately $74 million in federal expenditures for the Grant in Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the preparation of its Exhibit K1 during Fiscal Year 2021 and to determine whether the Department correctly reported its Fiscal Year 2021 federal grant expenditures to the OSC on its Exhibit K1. The purpose of our audit work was also to evaluate the Department?s internal controls over the financial reporting to the USDA regarding the P-EBT program. As part of our audit testwork, we compared amounts reported by the Department for direct and subrecipient federal expenditures on its Fiscal Year 2021 Exhibit K1 to the underlying financial records in CORE for the Grant and P-EBT federal programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the Exhibit K1 preparation, including supervisory reviews. We also reviewed 4 out of 12 Fiscal Year 2021 monthly submissions to the USDA for the FNS-292-B reports and compared federal expenditure amounts reported by the Department to the underlying financial records in CORE. How were the results of the audit work measured? The OSC is required to present the State?s SEFA in accordance with the federal requirements of the Uniform Guidance to show the State?s expenditures of federal awards during the fiscal year. Federal regulations [2 CFR 200.38(b)] define a federal award as, ?The instrument setting forth the terms and conditions. The instrument is the grant agreement, cooperative agreement, other agreement for assistance?? Federal regulations [2 CFR 200.510(b)(3) and (4)] require that the SEFA must show both total federal awards expended for each individual federal program, the Assistance Listing Number, and the total amount passed through to subrecipients for each federal program. In order to prepare the SEFA, the OSC requires state departments to submit an Exhibit K1 to report expenditures, receipts, and receivables for each federal grant program administered by the Department during the fiscal year. The OSC?s exhibit instructions include guidelines for completing the Exhibit K1, including defining ?direct and indirect expenditures? as ?all monetary and non-monetary direct and indirect Federal award expenditures,? and ?pass-through expenditures? as ?the amount of all monetary and non-monetary Federal award amounts passed through to a subrecipient.? For the Department?s Grant federal program, subrecipients consist of counties, school districts, and health centers. State Fiscal Rule 1-2, Internal Controls, requires that state departments ?implement internal accounting and administrative controls that reasonably ensure that financial transactions are accurate, reliable, conform to state fiscal rules, and reflect the underlying realities of the accounting transaction (substance rather than form).? Federal regulations [7 CFR 274.4] require the Department to submit an FNS-292-B report in the format prescribed by the USDA with information detailing the P-EBT federal benefit payments. The Department is required to support the information in the report with its underlying records. The FNS-292-B report is identified as a required report within the Department?s State Plan that is approved by the USDA. What problems did the audit work identify? The Department overstated $63.5 million in P-EBT expenditures on its June 2021 FNS-292-B report to USDA that was submitted on August 30, 2021, as well as on the Department?s Exhibit K1 for Fiscal Year 2021. The Department subsequently identified that the FNS-292-B report was misstated and updated and resubmitted the report on September 28, 2021, approximately one month later. The Department, however, did not update its Exhibit K1 for Fiscal Year 2021 to correct the error, because the program staff did not notify the accounting team of the misstatement and need for Exhibit K1 correction. Based on our audit testwork, we also determined that the Department misreported $8.7 million in the Grant?s expenditures as subrecipient, rather than direct, expenditures on its Exhibit K1. Why did these problems occur? The P-EBT program staff did not notify the Department?s accounting team, who prepares the Exhibit K1, of a revision to the FNS-292-B report. The P-EBT program staff prepared the reconciliation of the CBMS summary report to the CFMS P-EBT benefits issued report and identified a variance. The variance was eventually resolved and the P-EBT program staff resubmitted the FNS-292-B report to the USDA; however P-EBT program staff did not communicate this error to the Department?s accounting team. As a result, the accounting team was unaware of the revision and, therefore, did not update the Exhibit K1 to reflect the reduction in federal expenditures. Overall, the Department did not have adequate internal controls, such as an appropriate supervisory review process or adequate communication plan, in place for Fiscal Year 2021 to ensure that the FNS-292-B report was prepared accurately, that the Exhibit K1 was completed in accordance with the instructions provided by the OSC, and that the FNS-292-B and Exhibit K1 were reviewed for accuracy and compared to the underlying data. For the Grant program error, Department staff indicated that these funds were incorrectly identified and coded as subrecipient expenditures in CORE, which caused them to be incorrectly reported as such on the Exhibit K1. When the expenditures were initially posted in CORE, they were not adequately reviewed to determine if they were subrecipient or direct expenditures. Why do these problems matter? By failing to properly report grant expenditures to the federal government and the OSC, who ultimately then fails to properly report expenditures to the federal government on the State?s SEFA, the Department is out of compliance with federal and state reporting requirements and risks federal sanctions. In addition, because the error resulted in the Department misstating its federal expenditure results for the fiscal year, federal staff and taxpayers have an incorrect or unreliable picture of the P-EBT grant?s overall status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-060 The Department of Human Services (Department) should strengthen its internal controls over the preparation of federal reports and the Exhibit K1, Schedule of Federal Assistance, by: A. Strengthening its internal controls over its monthly Pandemic Electronic Benefit Transfer Food Benefits (P-EBT) reporting to ensure its reporting is accurate and goes through supervisory review. B. Improving communication between program and accounting staff to ensure the Exhibit K1 is accurately updated when errors in federal reporting are identified and resolved. C. Improving the supervisory review process over the Exhibit K1 and the federal expenditures entered in the Colorado Operations Resource Engine (CORE), the state?s accounting system, to ensure expenditures are coded correctly as direct or subrecipient expenditures and that, ultimately, the Exhibit K1 is accurate and complete. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees to enhance internal controls over monthly P-EBT reporting to better ensure accuracy. P-EBT is a new program derived from pandemic funding. Being a new program with a lack of federal guidance at implementation, and urgency to get the funds disbursed program staff had to learn about the nuances of the program and the reporting requirements as it was being implemented. During implementation we recognized that there are some inherent differences with P-EBT from other benefit programs which caused processes to have to be adjusted slightly. Additionally, timing of federal report filing for the P-EBT program is not in synch with our other processes and associated federal reporting requirements and deadlines. This makes it impossible to ensure reconciliation procedures are performed before filing occurs, which is one of our typical internal controls. As a compensating internal control CDHS will ensure that supervisory review processes are performed over P-EBT reporting, and that P-EBT reporting is reconciled to other sources (CBMS and CFMS) as soon as possible after reporting is available. If changes are discovered CDHS will make adjustments to filed P-EBT reports as needed based on reconciliation findings, and communicate changes to necessary parties. B. Agree Implementation Date: July 2022 CDHS will work to ensure better coordination between program activities and the accounting section relating to federal reporting changes. Accounting will iterate the importance of timely informing the accounting staff when changes are made to program filed federal reports. This message will be delivered in periodic fiscal meetings and identified on the closing calendar. The P-EBT program will ensure that corrections are communicated to accounting on any updates completed on the FNS-292-B report upon discovery, and no later than 30 days after the reporting period. C. Agree Implementation Date: July 2022 CDHS will ensure that review and approval processes are occurring as designed at various points in the process leading up to entry into CORE. As part of the Requisition (RQS) approval process program and accounting staff independently approve that the correct direct or subrecipient object code is used. These approved RQS transactions are then transitioned into encumbrance documents that drive which object code future expenditures will be booked to. For CCDF transactions related to this finding, both the OEC and Accounting teams inadvertently approved an incorrect object code in 4 RQS's. Staffing shortages coupled with a large increase in workload related to pandemic funding contributed to this oversight. To correct OEC and Accounting will train new staff, periodically familiarize themselves with the appropriate object codes, and perform quality assurance review over object codes before applying approval in CORE. The K1 is compiled from balances derived from expenditure data recorded in CORE. The compilation of the K1 relies on the fact that expenditure balances are accurate, and that prior reviews and approvals of individual transactions have occurred as designed. The K1 currently goes through various levels of review focusing on balance level validation coupled with analytical procedures. To enhance the review process, CDHS will ensure analytical procedures include line level expenditure comparison at the direct and subrecipient levels.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-061 The following findings and recommendations relating to internal control deficiencies classified as a Material Weakness and Significant Deficiency were communicated to the Department of Human Services (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-054 INTERNAL CONTROLS OVER FOOD DISTRIBUTION CLUSTER INVENTORY The Food Distribution Cluster (Cluster) is a group of federal grant programs designed to strengthen the nutrition safety net through the provision of donated foods from the U.S. Department of Agriculture (USDA) to low-income persons. The Department, as the state agency responsible for the administration of the Cluster programs, works with emergency feeding organizations throughout Colorado to provide households in need with food commodities through specific federal programs within the Cluster, including the Emergency Food Assistance Program (Emergency Food), and the Commodity Supplemental Food Program (Supplemental Food). Emergency Food (CFDA 10.568) is a federally funded program that provides USDA foods to low-income households for home consumption or for use in prepared meals at emergency feeding sites for low-income persons. The Department enters into contracts with three Regional Food Banks to serve Colorado?s 64 counties. The Department determines an allocation of the emergency foods to each Regional Food Bank. The Regional Food Banks place orders in the Web Supply Chain Management (Web Chain) system, a web-based software managed by the USDA, against their allocation and the USDA then ships the food to the Regional Food Bank?s warehouse. Emergency assistance bonus foods, which are foods the USDA purchases each year to support agricultural markets that entities can receive in addition to their allocation, are offered to each state based on each state?s fair share of the federal application, or on an open-order basis. The Regional Food Banks determine and provide household allocations of emergency food based on need, and provide congregate meals served at local food pantries and soup kitchens. The Regional Food Banks are required to submit physical inventory forms (Form 152) on a monthly basis to the Department and to provide a physical inventory verification on an annual basis. The Form 152 includes information regarding the receipt, disposal, and inventory of USDA Foods. Supplemental Food [CFDA No. 10.565] is a federally funded program that provides USDA foods to low-income seniors who are a minimum of 60 years of age. The Department works with six recipient agencies, including various counties, to ensure distribution in all 64 counties. The recipient agencies enter into contracts with the Department to administer the Supplemental Food program. The recipient agencies order USDA food through Web Chain. Each month, the recipient agencies are required to complete a Supplemental Food Monthly Inventory Form (Form 153) and submit it to the Department. Form 153 includes sections for reporting USDA food receipts, ending inventory, and number of recipients, along with other information. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to determine if the Department had sufficient internal controls over, and complied with, federal requirements for the Supplemental Food and Emergency Food programs, including whether the Department maintained accurate and complete records with respect to the receipt and inventory of USDA food commodities provided through the Supplemental Food and Emergency Food programs. During our audit, we requested to review any Supplemental Food and Emergency Food inventory reconciliations performed by the Department for Fiscal Year 2020, and requested and obtained the Department?s prepared fiscal year-end inventory summary reports. We also performed the following specific testing for each program: ? For Supplemental Food, we compared total shipment information reported by one food bank on its 12 monthly Form 153s to a Fiscal Year 2020 Web Chain report. ? For Emergency Food, we recalculated 12 monthly Form 152s submitted by one Regional Food Bank during Fiscal Year 2020 for accuracy. We also compared the Regional Food Bank?s fiscal year-end reported inventory from its Form 152 to the Department-prepared fiscal year-end inventory summary report and the Regional Food Bank?s reported Fiscal Year 2020 USDA Emergency Food receipts to a Fiscal Year 2020 Web Chain report. Lastly, we compared bonus food orders contained on a Department-prepared tracking sheet to a Web Chain report on a sample basis. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulations applicable to the Food Distribution Cluster programs [7 CFR 250.19(a)] require the Department, as a distributing agency, to keep complete records of donated foods. Failure to maintain these records shall be considered ?prima facie evidence of improper distribution or loss of donated foods.? The Department must ensure that ?restitution is made for the loss of donated foods, or for the loss or improper use of funds provided for, or obtained as an incident of, the distribution of donated foods? [7 CFR 250.16(a)]. The Department?s Emergency Assistance Policy and Procedure Manual states that the Regional Food Banks are required to maintain records documenting the receipt, disposal, and inventory of USDA-provided food, including records documenting distributions. The Department?s Supplemental Food Policy and Procedure Manual states that the recipient agencies must maintain complete and accurate records of USDA foods received and distributed. Federal regulations [2 CFR 200.303] require the Department, as a recipient of federal funds, to establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and performing reconciliations. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? Overall, the Department had not identified any of the errors or discrepancies we identified through our testing of both programs? inventory records or otherwise ensured they were investigated and corrected. Specifically: EMERGENCY FOOD PROGRAM ? For seven of the 12 Form 152s we tested, the forms contained calculation errors, resulting in miscalculations of the beginning balance of the inventory, quantity received or distributed, and ending balance of the inventory. ? The Regional Food Bank?s year-end Form 152 reported physical inventory of 50,306 cases, but the Department-prepared year-end inventory summary reported physical inventory of 27,000 cases, representing a discrepancy of 23,306 cases. We calculated an estimated dollar value for the discrepancy of approximately $578,000 by dividing the total value of orders received by the Food Bank during the fiscal year by the total number of cases ordered. ? The Regional Food Bank?s year-end Form 152 reported that it received 446,420 cases of USDA foods in Fiscal Year 2020, but the Web Chain report indicated that the Food Bank received 533,597 cases during Fiscal Year 2020; this represented a discrepancy and possible under-reporting of inventory by the Food Bank of 87,177 cases, totaling an estimated amount of approximately $2.2 million. ? Three of the nine (33 percent) sampled USDA foods listed on the Department?s bonus allocation report did not agree to bonus allocation orders listed on the Web Chain report. SUPPLEMENTAL FOOD PROGRAM ? The recipient agency?s Fiscal Year 2020 Form 153s reported that the recipient agency received a total of 1,618,498 Supplemental Food units, but the Web Chain Report indicated that the recipient agency received 1,705,160 units, which represented a discrepancy and possible underreporting of inventory by the recipient agency of 86,662 units, totaling an estimated amount of $127,000. WHY DID THESE PROBLEMS OCCUR? The Department lacks strong internal controls over its administration of the programs? inventories, including review and reconciliation policies and procedures. First, the Department does not have policies and related procedures requiring Department staff to review monthly inventory reports provided by recipient agencies and Regional Food Banks to ensure the information provided is accurate. Second, the Department does not have policies and related procedures requiring Department staff to perform reconciliations of physical inventory to the USDA Web Chain report to ensure inventory records are complete and accurate. Third, the Department does not have a tracking system to track recipient agencies and Regional Food Banks activities in the Web Chain system or supporting documentation. WHY DO THESE PROBLEMS MATTER? Lack of review and monitoring processes could result in the Department not maintaining complete and accurate inventory records and failing to comply with federal regulations. Ultimately, the Department risks the improper distribution or loss of USDA foods and could owe USDA for inventory shortages. By not having a proper tracking of inventory, this could also result in the Department not having sufficient food to provide to individuals in need of food assistance. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-054 The Department of Human Services (Department) should strengthen its internal controls over the Food Distribution Cluster?s U.S. Department of Agriculture foods inventory by: A Developing and implementing policies and procedures requiring Department staff to review monthly inventory reports received from recipient agencies and Regional Food Banks to ensure they are accurate. B Developing and implementing policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web Supply Chain Management system to ensure inventory records are complete and accurate. C Developing and implementing a tracking system to track recipient agencies and Regional Food Banks activities in the Web Supply Chain Management system and maintaining supporting documents. RESPONSE DEPARTMENT OF HUMAN SERVICES A AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories. B AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web-based Supply Chain Management system to ensure inventory records are complete and accurate. Starting in January 2021 the Department began developing a position description for an Inventory Specialist with the focus of ensuring accurate and thorough accounting of all year-end inventory and reconciliations. The position was hired in April 2021. Due to the implementation of the inventory database and the timing of beginning and ending inventories, the Department anticipates being able to do a full reconciliation of inventories by December 2022. C AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement a tracking system for food inventory at recipient agencies and Regional Food Banks using the Web Supply Chain Management system receipts as the basis of food received, including the maintenance of supporting documents. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-061 The following findings and recommendations relating to internal control deficiencies classified as a Material Weakness and Significant Deficiency were communicated to the Department of Human Services (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-054 INTERNAL CONTROLS OVER FOOD DISTRIBUTION CLUSTER INVENTORY The Food Distribution Cluster (Cluster) is a group of federal grant programs designed to strengthen the nutrition safety net through the provision of donated foods from the U.S. Department of Agriculture (USDA) to low-income persons. The Department, as the state agency responsible for the administration of the Cluster programs, works with emergency feeding organizations throughout Colorado to provide households in need with food commodities through specific federal programs within the Cluster, including the Emergency Food Assistance Program (Emergency Food), and the Commodity Supplemental Food Program (Supplemental Food). Emergency Food (CFDA 10.568) is a federally funded program that provides USDA foods to low-income households for home consumption or for use in prepared meals at emergency feeding sites for low-income persons. The Department enters into contracts with three Regional Food Banks to serve Colorado?s 64 counties. The Department determines an allocation of the emergency foods to each Regional Food Bank. The Regional Food Banks place orders in the Web Supply Chain Management (Web Chain) system, a web-based software managed by the USDA, against their allocation and the USDA then ships the food to the Regional Food Bank?s warehouse. Emergency assistance bonus foods, which are foods the USDA purchases each year to support agricultural markets that entities can receive in addition to their allocation, are offered to each state based on each state?s fair share of the federal application, or on an open-order basis. The Regional Food Banks determine and provide household allocations of emergency food based on need, and provide congregate meals served at local food pantries and soup kitchens. The Regional Food Banks are required to submit physical inventory forms (Form 152) on a monthly basis to the Department and to provide a physical inventory verification on an annual basis. The Form 152 includes information regarding the receipt, disposal, and inventory of USDA Foods. Supplemental Food [CFDA No. 10.565] is a federally funded program that provides USDA foods to low-income seniors who are a minimum of 60 years of age. The Department works with six recipient agencies, including various counties, to ensure distribution in all 64 counties. The recipient agencies enter into contracts with the Department to administer the Supplemental Food program. The recipient agencies order USDA food through Web Chain. Each month, the recipient agencies are required to complete a Supplemental Food Monthly Inventory Form (Form 153) and submit it to the Department. Form 153 includes sections for reporting USDA food receipts, ending inventory, and number of recipients, along with other information. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to determine if the Department had sufficient internal controls over, and complied with, federal requirements for the Supplemental Food and Emergency Food programs, including whether the Department maintained accurate and complete records with respect to the receipt and inventory of USDA food commodities provided through the Supplemental Food and Emergency Food programs. During our audit, we requested to review any Supplemental Food and Emergency Food inventory reconciliations performed by the Department for Fiscal Year 2020, and requested and obtained the Department?s prepared fiscal year-end inventory summary reports. We also performed the following specific testing for each program: ? For Supplemental Food, we compared total shipment information reported by one food bank on its 12 monthly Form 153s to a Fiscal Year 2020 Web Chain report. ? For Emergency Food, we recalculated 12 monthly Form 152s submitted by one Regional Food Bank during Fiscal Year 2020 for accuracy. We also compared the Regional Food Bank?s fiscal year-end reported inventory from its Form 152 to the Department-prepared fiscal year-end inventory summary report and the Regional Food Bank?s reported Fiscal Year 2020 USDA Emergency Food receipts to a Fiscal Year 2020 Web Chain report. Lastly, we compared bonus food orders contained on a Department-prepared tracking sheet to a Web Chain report on a sample basis. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulations applicable to the Food Distribution Cluster programs [7 CFR 250.19(a)] require the Department, as a distributing agency, to keep complete records of donated foods. Failure to maintain these records shall be considered ?prima facie evidence of improper distribution or loss of donated foods.? The Department must ensure that ?restitution is made for the loss of donated foods, or for the loss or improper use of funds provided for, or obtained as an incident of, the distribution of donated foods? [7 CFR 250.16(a)]. The Department?s Emergency Assistance Policy and Procedure Manual states that the Regional Food Banks are required to maintain records documenting the receipt, disposal, and inventory of USDA-provided food, including records documenting distributions. The Department?s Supplemental Food Policy and Procedure Manual states that the recipient agencies must maintain complete and accurate records of USDA foods received and distributed. Federal regulations [2 CFR 200.303] require the Department, as a recipient of federal funds, to establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and performing reconciliations. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? Overall, the Department had not identified any of the errors or discrepancies we identified through our testing of both programs? inventory records or otherwise ensured they were investigated and corrected. Specifically: EMERGENCY FOOD PROGRAM ? For seven of the 12 Form 152s we tested, the forms contained calculation errors, resulting in miscalculations of the beginning balance of the inventory, quantity received or distributed, and ending balance of the inventory. ? The Regional Food Bank?s year-end Form 152 reported physical inventory of 50,306 cases, but the Department-prepared year-end inventory summary reported physical inventory of 27,000 cases, representing a discrepancy of 23,306 cases. We calculated an estimated dollar value for the discrepancy of approximately $578,000 by dividing the total value of orders received by the Food Bank during the fiscal year by the total number of cases ordered. ? The Regional Food Bank?s year-end Form 152 reported that it received 446,420 cases of USDA foods in Fiscal Year 2020, but the Web Chain report indicated that the Food Bank received 533,597 cases during Fiscal Year 2020; this represented a discrepancy and possible under-reporting of inventory by the Food Bank of 87,177 cases, totaling an estimated amount of approximately $2.2 million. ? Three of the nine (33 percent) sampled USDA foods listed on the Department?s bonus allocation report did not agree to bonus allocation orders listed on the Web Chain report. SUPPLEMENTAL FOOD PROGRAM ? The recipient agency?s Fiscal Year 2020 Form 153s reported that the recipient agency received a total of 1,618,498 Supplemental Food units, but the Web Chain Report indicated that the recipient agency received 1,705,160 units, which represented a discrepancy and possible underreporting of inventory by the recipient agency of 86,662 units, totaling an estimated amount of $127,000. WHY DID THESE PROBLEMS OCCUR? The Department lacks strong internal controls over its administration of the programs? inventories, including review and reconciliation policies and procedures. First, the Department does not have policies and related procedures requiring Department staff to review monthly inventory reports provided by recipient agencies and Regional Food Banks to ensure the information provided is accurate. Second, the Department does not have policies and related procedures requiring Department staff to perform reconciliations of physical inventory to the USDA Web Chain report to ensure inventory records are complete and accurate. Third, the Department does not have a tracking system to track recipient agencies and Regional Food Banks activities in the Web Chain system or supporting documentation. WHY DO THESE PROBLEMS MATTER? Lack of review and monitoring processes could result in the Department not maintaining complete and accurate inventory records and failing to comply with federal regulations. Ultimately, the Department risks the improper distribution or loss of USDA foods and could owe USDA for inventory shortages. By not having a proper tracking of inventory, this could also result in the Department not having sufficient food to provide to individuals in need of food assistance. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-054 The Department of Human Services (Department) should strengthen its internal controls over the Food Distribution Cluster?s U.S. Department of Agriculture foods inventory by: A Developing and implementing policies and procedures requiring Department staff to review monthly inventory reports received from recipient agencies and Regional Food Banks to ensure they are accurate. B Developing and implementing policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web Supply Chain Management system to ensure inventory records are complete and accurate. C Developing and implementing a tracking system to track recipient agencies and Regional Food Banks activities in the Web Supply Chain Management system and maintaining supporting documents. RESPONSE DEPARTMENT OF HUMAN SERVICES A AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories. B AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web-based Supply Chain Management system to ensure inventory records are complete and accurate. Starting in January 2021 the Department began developing a position description for an Inventory Specialist with the focus of ensuring accurate and thorough accounting of all year-end inventory and reconciliations. The position was hired in April 2021. Due to the implementation of the inventory database and the timing of beginning and ending inventories, the Department anticipates being able to do a full reconciliation of inventories by December 2022. C AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement a tracking system for food inventory at recipient agencies and Regional Food Banks using the Web Supply Chain Management system receipts as the basis of food received, including the maintenance of supporting documents. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-061 The following findings and recommendations relating to internal control deficiencies classified as a Material Weakness and Significant Deficiency were communicated to the Department of Human Services (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-054 INTERNAL CONTROLS OVER FOOD DISTRIBUTION CLUSTER INVENTORY The Food Distribution Cluster (Cluster) is a group of federal grant programs designed to strengthen the nutrition safety net through the provision of donated foods from the U.S. Department of Agriculture (USDA) to low-income persons. The Department, as the state agency responsible for the administration of the Cluster programs, works with emergency feeding organizations throughout Colorado to provide households in need with food commodities through specific federal programs within the Cluster, including the Emergency Food Assistance Program (Emergency Food), and the Commodity Supplemental Food Program (Supplemental Food). Emergency Food (CFDA 10.568) is a federally funded program that provides USDA foods to low-income households for home consumption or for use in prepared meals at emergency feeding sites for low-income persons. The Department enters into contracts with three Regional Food Banks to serve Colorado?s 64 counties. The Department determines an allocation of the emergency foods to each Regional Food Bank. The Regional Food Banks place orders in the Web Supply Chain Management (Web Chain) system, a web-based software managed by the USDA, against their allocation and the USDA then ships the food to the Regional Food Bank?s warehouse. Emergency assistance bonus foods, which are foods the USDA purchases each year to support agricultural markets that entities can receive in addition to their allocation, are offered to each state based on each state?s fair share of the federal application, or on an open-order basis. The Regional Food Banks determine and provide household allocations of emergency food based on need, and provide congregate meals served at local food pantries and soup kitchens. The Regional Food Banks are required to submit physical inventory forms (Form 152) on a monthly basis to the Department and to provide a physical inventory verification on an annual basis. The Form 152 includes information regarding the receipt, disposal, and inventory of USDA Foods. Supplemental Food [CFDA No. 10.565] is a federally funded program that provides USDA foods to low-income seniors who are a minimum of 60 years of age. The Department works with six recipient agencies, including various counties, to ensure distribution in all 64 counties. The recipient agencies enter into contracts with the Department to administer the Supplemental Food program. The recipient agencies order USDA food through Web Chain. Each month, the recipient agencies are required to complete a Supplemental Food Monthly Inventory Form (Form 153) and submit it to the Department. Form 153 includes sections for reporting USDA food receipts, ending inventory, and number of recipients, along with other information. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to determine if the Department had sufficient internal controls over, and complied with, federal requirements for the Supplemental Food and Emergency Food programs, including whether the Department maintained accurate and complete records with respect to the receipt and inventory of USDA food commodities provided through the Supplemental Food and Emergency Food programs. During our audit, we requested to review any Supplemental Food and Emergency Food inventory reconciliations performed by the Department for Fiscal Year 2020, and requested and obtained the Department?s prepared fiscal year-end inventory summary reports. We also performed the following specific testing for each program: ? For Supplemental Food, we compared total shipment information reported by one food bank on its 12 monthly Form 153s to a Fiscal Year 2020 Web Chain report. ? For Emergency Food, we recalculated 12 monthly Form 152s submitted by one Regional Food Bank during Fiscal Year 2020 for accuracy. We also compared the Regional Food Bank?s fiscal year-end reported inventory from its Form 152 to the Department-prepared fiscal year-end inventory summary report and the Regional Food Bank?s reported Fiscal Year 2020 USDA Emergency Food receipts to a Fiscal Year 2020 Web Chain report. Lastly, we compared bonus food orders contained on a Department-prepared tracking sheet to a Web Chain report on a sample basis. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulations applicable to the Food Distribution Cluster programs [7 CFR 250.19(a)] require the Department, as a distributing agency, to keep complete records of donated foods. Failure to maintain these records shall be considered ?prima facie evidence of improper distribution or loss of donated foods.? The Department must ensure that ?restitution is made for the loss of donated foods, or for the loss or improper use of funds provided for, or obtained as an incident of, the distribution of donated foods? [7 CFR 250.16(a)]. The Department?s Emergency Assistance Policy and Procedure Manual states that the Regional Food Banks are required to maintain records documenting the receipt, disposal, and inventory of USDA-provided food, including records documenting distributions. The Department?s Supplemental Food Policy and Procedure Manual states that the recipient agencies must maintain complete and accurate records of USDA foods received and distributed. Federal regulations [2 CFR 200.303] require the Department, as a recipient of federal funds, to establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and performing reconciliations. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? Overall, the Department had not identified any of the errors or discrepancies we identified through our testing of both programs? inventory records or otherwise ensured they were investigated and corrected. Specifically: EMERGENCY FOOD PROGRAM ? For seven of the 12 Form 152s we tested, the forms contained calculation errors, resulting in miscalculations of the beginning balance of the inventory, quantity received or distributed, and ending balance of the inventory. ? The Regional Food Bank?s year-end Form 152 reported physical inventory of 50,306 cases, but the Department-prepared year-end inventory summary reported physical inventory of 27,000 cases, representing a discrepancy of 23,306 cases. We calculated an estimated dollar value for the discrepancy of approximately $578,000 by dividing the total value of orders received by the Food Bank during the fiscal year by the total number of cases ordered. ? The Regional Food Bank?s year-end Form 152 reported that it received 446,420 cases of USDA foods in Fiscal Year 2020, but the Web Chain report indicated that the Food Bank received 533,597 cases during Fiscal Year 2020; this represented a discrepancy and possible under-reporting of inventory by the Food Bank of 87,177 cases, totaling an estimated amount of approximately $2.2 million. ? Three of the nine (33 percent) sampled USDA foods listed on the Department?s bonus allocation report did not agree to bonus allocation orders listed on the Web Chain report. SUPPLEMENTAL FOOD PROGRAM ? The recipient agency?s Fiscal Year 2020 Form 153s reported that the recipient agency received a total of 1,618,498 Supplemental Food units, but the Web Chain Report indicated that the recipient agency received 1,705,160 units, which represented a discrepancy and possible underreporting of inventory by the recipient agency of 86,662 units, totaling an estimated amount of $127,000. WHY DID THESE PROBLEMS OCCUR? The Department lacks strong internal controls over its administration of the programs? inventories, including review and reconciliation policies and procedures. First, the Department does not have policies and related procedures requiring Department staff to review monthly inventory reports provided by recipient agencies and Regional Food Banks to ensure the information provided is accurate. Second, the Department does not have policies and related procedures requiring Department staff to perform reconciliations of physical inventory to the USDA Web Chain report to ensure inventory records are complete and accurate. Third, the Department does not have a tracking system to track recipient agencies and Regional Food Banks activities in the Web Chain system or supporting documentation. WHY DO THESE PROBLEMS MATTER? Lack of review and monitoring processes could result in the Department not maintaining complete and accurate inventory records and failing to comply with federal regulations. Ultimately, the Department risks the improper distribution or loss of USDA foods and could owe USDA for inventory shortages. By not having a proper tracking of inventory, this could also result in the Department not having sufficient food to provide to individuals in need of food assistance. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-054 The Department of Human Services (Department) should strengthen its internal controls over the Food Distribution Cluster?s U.S. Department of Agriculture foods inventory by: A Developing and implementing policies and procedures requiring Department staff to review monthly inventory reports received from recipient agencies and Regional Food Banks to ensure they are accurate. B Developing and implementing policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web Supply Chain Management system to ensure inventory records are complete and accurate. C Developing and implementing a tracking system to track recipient agencies and Regional Food Banks activities in the Web Supply Chain Management system and maintaining supporting documents. RESPONSE DEPARTMENT OF HUMAN SERVICES A AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories. B AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web-based Supply Chain Management system to ensure inventory records are complete and accurate. Starting in January 2021 the Department began developing a position description for an Inventory Specialist with the focus of ensuring accurate and thorough accounting of all year-end inventory and reconciliations. The position was hired in April 2021. Due to the implementation of the inventory database and the timing of beginning and ending inventories, the Department anticipates being able to do a full reconciliation of inventories by December 2022. C AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement a tracking system for food inventory at recipient agencies and Regional Food Banks using the Web Supply Chain Management system receipts as the basis of food received, including the maintenance of supporting documents. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-061 The following findings and recommendations relating to internal control deficiencies classified as a Material Weakness and Significant Deficiency were communicated to the Department of Human Services (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-054 INTERNAL CONTROLS OVER FOOD DISTRIBUTION CLUSTER INVENTORY The Food Distribution Cluster (Cluster) is a group of federal grant programs designed to strengthen the nutrition safety net through the provision of donated foods from the U.S. Department of Agriculture (USDA) to low-income persons. The Department, as the state agency responsible for the administration of the Cluster programs, works with emergency feeding organizations throughout Colorado to provide households in need with food commodities through specific federal programs within the Cluster, including the Emergency Food Assistance Program (Emergency Food), and the Commodity Supplemental Food Program (Supplemental Food). Emergency Food (CFDA 10.568) is a federally funded program that provides USDA foods to low-income households for home consumption or for use in prepared meals at emergency feeding sites for low-income persons. The Department enters into contracts with three Regional Food Banks to serve Colorado?s 64 counties. The Department determines an allocation of the emergency foods to each Regional Food Bank. The Regional Food Banks place orders in the Web Supply Chain Management (Web Chain) system, a web-based software managed by the USDA, against their allocation and the USDA then ships the food to the Regional Food Bank?s warehouse. Emergency assistance bonus foods, which are foods the USDA purchases each year to support agricultural markets that entities can receive in addition to their allocation, are offered to each state based on each state?s fair share of the federal application, or on an open-order basis. The Regional Food Banks determine and provide household allocations of emergency food based on need, and provide congregate meals served at local food pantries and soup kitchens. The Regional Food Banks are required to submit physical inventory forms (Form 152) on a monthly basis to the Department and to provide a physical inventory verification on an annual basis. The Form 152 includes information regarding the receipt, disposal, and inventory of USDA Foods. Supplemental Food [CFDA No. 10.565] is a federally funded program that provides USDA foods to low-income seniors who are a minimum of 60 years of age. The Department works with six recipient agencies, including various counties, to ensure distribution in all 64 counties. The recipient agencies enter into contracts with the Department to administer the Supplemental Food program. The recipient agencies order USDA food through Web Chain. Each month, the recipient agencies are required to complete a Supplemental Food Monthly Inventory Form (Form 153) and submit it to the Department. Form 153 includes sections for reporting USDA food receipts, ending inventory, and number of recipients, along with other information. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to determine if the Department had sufficient internal controls over, and complied with, federal requirements for the Supplemental Food and Emergency Food programs, including whether the Department maintained accurate and complete records with respect to the receipt and inventory of USDA food commodities provided through the Supplemental Food and Emergency Food programs. During our audit, we requested to review any Supplemental Food and Emergency Food inventory reconciliations performed by the Department for Fiscal Year 2020, and requested and obtained the Department?s prepared fiscal year-end inventory summary reports. We also performed the following specific testing for each program: ? For Supplemental Food, we compared total shipment information reported by one food bank on its 12 monthly Form 153s to a Fiscal Year 2020 Web Chain report. ? For Emergency Food, we recalculated 12 monthly Form 152s submitted by one Regional Food Bank during Fiscal Year 2020 for accuracy. We also compared the Regional Food Bank?s fiscal year-end reported inventory from its Form 152 to the Department-prepared fiscal year-end inventory summary report and the Regional Food Bank?s reported Fiscal Year 2020 USDA Emergency Food receipts to a Fiscal Year 2020 Web Chain report. Lastly, we compared bonus food orders contained on a Department-prepared tracking sheet to a Web Chain report on a sample basis. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulations applicable to the Food Distribution Cluster programs [7 CFR 250.19(a)] require the Department, as a distributing agency, to keep complete records of donated foods. Failure to maintain these records shall be considered ?prima facie evidence of improper distribution or loss of donated foods.? The Department must ensure that ?restitution is made for the loss of donated foods, or for the loss or improper use of funds provided for, or obtained as an incident of, the distribution of donated foods? [7 CFR 250.16(a)]. The Department?s Emergency Assistance Policy and Procedure Manual states that the Regional Food Banks are required to maintain records documenting the receipt, disposal, and inventory of USDA-provided food, including records documenting distributions. The Department?s Supplemental Food Policy and Procedure Manual states that the recipient agencies must maintain complete and accurate records of USDA foods received and distributed. Federal regulations [2 CFR 200.303] require the Department, as a recipient of federal funds, to establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and performing reconciliations. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? Overall, the Department had not identified any of the errors or discrepancies we identified through our testing of both programs? inventory records or otherwise ensured they were investigated and corrected. Specifically: EMERGENCY FOOD PROGRAM ? For seven of the 12 Form 152s we tested, the forms contained calculation errors, resulting in miscalculations of the beginning balance of the inventory, quantity received or distributed, and ending balance of the inventory. ? The Regional Food Bank?s year-end Form 152 reported physical inventory of 50,306 cases, but the Department-prepared year-end inventory summary reported physical inventory of 27,000 cases, representing a discrepancy of 23,306 cases. We calculated an estimated dollar value for the discrepancy of approximately $578,000 by dividing the total value of orders received by the Food Bank during the fiscal year by the total number of cases ordered. ? The Regional Food Bank?s year-end Form 152 reported that it received 446,420 cases of USDA foods in Fiscal Year 2020, but the Web Chain report indicated that the Food Bank received 533,597 cases during Fiscal Year 2020; this represented a discrepancy and possible under-reporting of inventory by the Food Bank of 87,177 cases, totaling an estimated amount of approximately $2.2 million. ? Three of the nine (33 percent) sampled USDA foods listed on the Department?s bonus allocation report did not agree to bonus allocation orders listed on the Web Chain report. SUPPLEMENTAL FOOD PROGRAM ? The recipient agency?s Fiscal Year 2020 Form 153s reported that the recipient agency received a total of 1,618,498 Supplemental Food units, but the Web Chain Report indicated that the recipient agency received 1,705,160 units, which represented a discrepancy and possible underreporting of inventory by the recipient agency of 86,662 units, totaling an estimated amount of $127,000. WHY DID THESE PROBLEMS OCCUR? The Department lacks strong internal controls over its administration of the programs? inventories, including review and reconciliation policies and procedures. First, the Department does not have policies and related procedures requiring Department staff to review monthly inventory reports provided by recipient agencies and Regional Food Banks to ensure the information provided is accurate. Second, the Department does not have policies and related procedures requiring Department staff to perform reconciliations of physical inventory to the USDA Web Chain report to ensure inventory records are complete and accurate. Third, the Department does not have a tracking system to track recipient agencies and Regional Food Banks activities in the Web Chain system or supporting documentation. WHY DO THESE PROBLEMS MATTER? Lack of review and monitoring processes could result in the Department not maintaining complete and accurate inventory records and failing to comply with federal regulations. Ultimately, the Department risks the improper distribution or loss of USDA foods and could owe USDA for inventory shortages. By not having a proper tracking of inventory, this could also result in the Department not having sufficient food to provide to individuals in need of food assistance. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-054 The Department of Human Services (Department) should strengthen its internal controls over the Food Distribution Cluster?s U.S. Department of Agriculture foods inventory by: A Developing and implementing policies and procedures requiring Department staff to review monthly inventory reports received from recipient agencies and Regional Food Banks to ensure they are accurate. B Developing and implementing policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web Supply Chain Management system to ensure inventory records are complete and accurate. C Developing and implementing a tracking system to track recipient agencies and Regional Food Banks activities in the Web Supply Chain Management system and maintaining supporting documents. RESPONSE DEPARTMENT OF HUMAN SERVICES A AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories. B AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement policies and procedures requiring Department staff to perform reconciliations of recipient agencies? and Regional Food Banks? physical inventories to the Web-based Supply Chain Management system to ensure inventory records are complete and accurate. Starting in January 2021 the Department began developing a position description for an Inventory Specialist with the focus of ensuring accurate and thorough accounting of all year-end inventory and reconciliations. The position was hired in April 2021. Due to the implementation of the inventory database and the timing of beginning and ending inventories, the Department anticipates being able to do a full reconciliation of inventories by December 2022. C AGREE. IMPLEMENTATION DATE: DECEMBER 2022. The Department agrees to develop and implement a tracking system for food inventory at recipient agencies and Regional Food Banks using the Web Supply Chain Management system receipts as the basis of food received, including the maintenance of supporting documents. The Department is undertaking an inventory overhaul which includes implementing a new inventory database and creating and hiring an Inventory Specialist. The Department recognized the need for inventory software and started the process of obtaining it in June 2020. In May 2021, the Department received a signed licensing agreement for a new database which is expected to be implemented in six months per an OIT timeline. In addition to the database, the Department recently hired a new Inventory Specialist position. This position will lead the development of policies, procedures, inventory reconciliations, and monthly report management. Once the Inventory Specialist has a comprehensive understanding of federal and state policy and the new database software, the Department will develop policies and procedures, training for partner agencies, and roll out new requirements for the tracking and reconciliation of program inventories.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-060 Misreporting of Federal Expenditures for the COVID-19 ?Pandemic EBT Food Benefits and Child Care and Development Block Grant on the Exhibit K1 Each year, the Department is required to prepare an exhibit containing the Department?s federal expenditures and related reimbursements to aid the Colorado Office of the State Controller (OSC) in the preparation of the State?s Schedule of Expenditures of Federal Awards (SEFA); this exhibit is referred to as the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 should include expenditures for grants received directly from the federal government and expended by the Department (direct expenditures), as well as expenditures for federal grants passed through by the Department to other State and/or non-State agencies (subrecipient expenditures). The SEFA is to be presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) to show the State?s expenditures of federal awards during the fiscal year. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Annually, the Department prepares its Exhibit K1 by following a process documented in its program accounting manual. First, program accountants review and analyze information from CORE for the federal Assistance Listing Number (ALN)?s related to the programs they support. The program accountants complete this review using a CORE report that the Department created, pulling transaction detail level data by ALN. Once the reviews and analysis are complete, the program accountants enter the information on the Department?s Exhibit K1 template for the correlating ALN. After the exhibit is prepared, the Department?s program accounting manual requires that it goes through two levels of review for accuracy. Once these reviews are completed, the Department submits the final Exhibit K1 to the OSC. The Department is also separately required within its approved State Plan for the COVID-19 ? Pandemic EBT Food Benefits program [ALN 10.542] (P-EBT) to report its P-EBT federal expenditures to the U.S. Department of Agriculture (USDA) via the Report of Disaster Food Stamp Benefit Issuance (FNS-292-B). The Department is also required to support the financial expenditures reported on the FNS-292-B report with source data and files, which includes a P-EBT Summary report that is exported from the Colorado Benefits Management System (CBMS) and includes the number of eligible children, number of eligible households, and total amount paid in P-EBT benefits. The P-EBT summary report is then reconciled by the Department to the County Financial Management System (CFMS), where the counties? issuance of P-EBT program benefits is accumulated and reported. For Fiscal Year 2021, the Department administered more than 70 federal programs and expended approximately $2.4 billion in federal funds. The P-EBT program and Child Care and Development Block Grant (Grant) [ALN 93.575] were two of these federal programs administered by the Department during Fiscal Year 2021. The Department reported more than $292 million in federal expenditures for the P-EBT program and approximately $74 million in federal expenditures for the Grant in Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the preparation of its Exhibit K1 during Fiscal Year 2021 and to determine whether the Department correctly reported its Fiscal Year 2021 federal grant expenditures to the OSC on its Exhibit K1. The purpose of our audit work was also to evaluate the Department?s internal controls over the financial reporting to the USDA regarding the P-EBT program. As part of our audit testwork, we compared amounts reported by the Department for direct and subrecipient federal expenditures on its Fiscal Year 2021 Exhibit K1 to the underlying financial records in CORE for the Grant and P-EBT federal programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the Exhibit K1 preparation, including supervisory reviews. We also reviewed 4 out of 12 Fiscal Year 2021 monthly submissions to the USDA for the FNS-292-B reports and compared federal expenditure amounts reported by the Department to the underlying financial records in CORE. How were the results of the audit work measured? The OSC is required to present the State?s SEFA in accordance with the federal requirements of the Uniform Guidance to show the State?s expenditures of federal awards during the fiscal year. Federal regulations [2 CFR 200.38(b)] define a federal award as, ?The instrument setting forth the terms and conditions. The instrument is the grant agreement, cooperative agreement, other agreement for assistance?? Federal regulations [2 CFR 200.510(b)(3) and (4)] require that the SEFA must show both total federal awards expended for each individual federal program, the Assistance Listing Number, and the total amount passed through to subrecipients for each federal program. In order to prepare the SEFA, the OSC requires state departments to submit an Exhibit K1 to report expenditures, receipts, and receivables for each federal grant program administered by the Department during the fiscal year. The OSC?s exhibit instructions include guidelines for completing the Exhibit K1, including defining ?direct and indirect expenditures? as ?all monetary and non-monetary direct and indirect Federal award expenditures,? and ?pass-through expenditures? as ?the amount of all monetary and non-monetary Federal award amounts passed through to a subrecipient.? For the Department?s Grant federal program, subrecipients consist of counties, school districts, and health centers. State Fiscal Rule 1-2, Internal Controls, requires that state departments ?implement internal accounting and administrative controls that reasonably ensure that financial transactions are accurate, reliable, conform to state fiscal rules, and reflect the underlying realities of the accounting transaction (substance rather than form).? Federal regulations [7 CFR 274.4] require the Department to submit an FNS-292-B report in the format prescribed by the USDA with information detailing the P-EBT federal benefit payments. The Department is required to support the information in the report with its underlying records. The FNS-292-B report is identified as a required report within the Department?s State Plan that is approved by the USDA. What problems did the audit work identify? The Department overstated $63.5 million in P-EBT expenditures on its June 2021 FNS-292-B report to USDA that was submitted on August 30, 2021, as well as on the Department?s Exhibit K1 for Fiscal Year 2021. The Department subsequently identified that the FNS-292-B report was misstated and updated and resubmitted the report on September 28, 2021, approximately one month later. The Department, however, did not update its Exhibit K1 for Fiscal Year 2021 to correct the error, because the program staff did not notify the accounting team of the misstatement and need for Exhibit K1 correction. Based on our audit testwork, we also determined that the Department misreported $8.7 million in the Grant?s expenditures as subrecipient, rather than direct, expenditures on its Exhibit K1. Why did these problems occur? The P-EBT program staff did not notify the Department?s accounting team, who prepares the Exhibit K1, of a revision to the FNS-292-B report. The P-EBT program staff prepared the reconciliation of the CBMS summary report to the CFMS P-EBT benefits issued report and identified a variance. The variance was eventually resolved and the P-EBT program staff resubmitted the FNS-292-B report to the USDA; however P-EBT program staff did not communicate this error to the Department?s accounting team. As a result, the accounting team was unaware of the revision and, therefore, did not update the Exhibit K1 to reflect the reduction in federal expenditures. Overall, the Department did not have adequate internal controls, such as an appropriate supervisory review process or adequate communication plan, in place for Fiscal Year 2021 to ensure that the FNS-292-B report was prepared accurately, that the Exhibit K1 was completed in accordance with the instructions provided by the OSC, and that the FNS-292-B and Exhibit K1 were reviewed for accuracy and compared to the underlying data. For the Grant program error, Department staff indicated that these funds were incorrectly identified and coded as subrecipient expenditures in CORE, which caused them to be incorrectly reported as such on the Exhibit K1. When the expenditures were initially posted in CORE, they were not adequately reviewed to determine if they were subrecipient or direct expenditures. Why do these problems matter? By failing to properly report grant expenditures to the federal government and the OSC, who ultimately then fails to properly report expenditures to the federal government on the State?s SEFA, the Department is out of compliance with federal and state reporting requirements and risks federal sanctions. In addition, because the error resulted in the Department misstating its federal expenditure results for the fiscal year, federal staff and taxpayers have an incorrect or unreliable picture of the P-EBT grant?s overall status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-060 The Department of Human Services (Department) should strengthen its internal controls over the preparation of federal reports and the Exhibit K1, Schedule of Federal Assistance, by: A. Strengthening its internal controls over its monthly Pandemic Electronic Benefit Transfer Food Benefits (P-EBT) reporting to ensure its reporting is accurate and goes through supervisory review. B. Improving communication between program and accounting staff to ensure the Exhibit K1 is accurately updated when errors in federal reporting are identified and resolved. C. Improving the supervisory review process over the Exhibit K1 and the federal expenditures entered in the Colorado Operations Resource Engine (CORE), the state?s accounting system, to ensure expenditures are coded correctly as direct or subrecipient expenditures and that, ultimately, the Exhibit K1 is accurate and complete. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees to enhance internal controls over monthly P-EBT reporting to better ensure accuracy. P-EBT is a new program derived from pandemic funding. Being a new program with a lack of federal guidance at implementation, and urgency to get the funds disbursed program staff had to learn about the nuances of the program and the reporting requirements as it was being implemented. During implementation we recognized that there are some inherent differences with P-EBT from other benefit programs which caused processes to have to be adjusted slightly. Additionally, timing of federal report filing for the P-EBT program is not in synch with our other processes and associated federal reporting requirements and deadlines. This makes it impossible to ensure reconciliation procedures are performed before filing occurs, which is one of our typical internal controls. As a compensating internal control CDHS will ensure that supervisory review processes are performed over P-EBT reporting, and that P-EBT reporting is reconciled to other sources (CBMS and CFMS) as soon as possible after reporting is available. If changes are discovered CDHS will make adjustments to filed P-EBT reports as needed based on reconciliation findings, and communicate changes to necessary parties. B. Agree Implementation Date: July 2022 CDHS will work to ensure better coordination between program activities and the accounting section relating to federal reporting changes. Accounting will iterate the importance of timely informing the accounting staff when changes are made to program filed federal reports. This message will be delivered in periodic fiscal meetings and identified on the closing calendar. The P-EBT program will ensure that corrections are communicated to accounting on any updates completed on the FNS-292-B report upon discovery, and no later than 30 days after the reporting period. C. Agree Implementation Date: July 2022 CDHS will ensure that review and approval processes are occurring as designed at various points in the process leading up to entry into CORE. As part of the Requisition (RQS) approval process program and accounting staff independently approve that the correct direct or subrecipient object code is used. These approved RQS transactions are then transitioned into encumbrance documents that drive which object code future expenditures will be booked to. For CCDF transactions related to this finding, both the OEC and Accounting teams inadvertently approved an incorrect object code in 4 RQS's. Staffing shortages coupled with a large increase in workload related to pandemic funding contributed to this oversight. To correct OEC and Accounting will train new staff, periodically familiarize themselves with the appropriate object codes, and perform quality assurance review over object codes before applying approval in CORE. The K1 is compiled from balances derived from expenditure data recorded in CORE. The compilation of the K1 relies on the fact that expenditure balances are accurate, and that prior reviews and approvals of individual transactions have occurred as designed. The K1 currently goes through various levels of review focusing on balance level validation coupled with analytical procedures. To enhance the review process, CDHS will ensure analytical procedures include line level expenditure comparison at the direct and subrecipient levels.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-060 Misreporting of Federal Expenditures for the COVID-19 ?Pandemic EBT Food Benefits and Child Care and Development Block Grant on the Exhibit K1 Each year, the Department is required to prepare an exhibit containing the Department?s federal expenditures and related reimbursements to aid the Colorado Office of the State Controller (OSC) in the preparation of the State?s Schedule of Expenditures of Federal Awards (SEFA); this exhibit is referred to as the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 should include expenditures for grants received directly from the federal government and expended by the Department (direct expenditures), as well as expenditures for federal grants passed through by the Department to other State and/or non-State agencies (subrecipient expenditures). The SEFA is to be presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) to show the State?s expenditures of federal awards during the fiscal year. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Annually, the Department prepares its Exhibit K1 by following a process documented in its program accounting manual. First, program accountants review and analyze information from CORE for the federal Assistance Listing Number (ALN)?s related to the programs they support. The program accountants complete this review using a CORE report that the Department created, pulling transaction detail level data by ALN. Once the reviews and analysis are complete, the program accountants enter the information on the Department?s Exhibit K1 template for the correlating ALN. After the exhibit is prepared, the Department?s program accounting manual requires that it goes through two levels of review for accuracy. Once these reviews are completed, the Department submits the final Exhibit K1 to the OSC. The Department is also separately required within its approved State Plan for the COVID-19 ? Pandemic EBT Food Benefits program [ALN 10.542] (P-EBT) to report its P-EBT federal expenditures to the U.S. Department of Agriculture (USDA) via the Report of Disaster Food Stamp Benefit Issuance (FNS-292-B). The Department is also required to support the financial expenditures reported on the FNS-292-B report with source data and files, which includes a P-EBT Summary report that is exported from the Colorado Benefits Management System (CBMS) and includes the number of eligible children, number of eligible households, and total amount paid in P-EBT benefits. The P-EBT summary report is then reconciled by the Department to the County Financial Management System (CFMS), where the counties? issuance of P-EBT program benefits is accumulated and reported. For Fiscal Year 2021, the Department administered more than 70 federal programs and expended approximately $2.4 billion in federal funds. The P-EBT program and Child Care and Development Block Grant (Grant) [ALN 93.575] were two of these federal programs administered by the Department during Fiscal Year 2021. The Department reported more than $292 million in federal expenditures for the P-EBT program and approximately $74 million in federal expenditures for the Grant in Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the preparation of its Exhibit K1 during Fiscal Year 2021 and to determine whether the Department correctly reported its Fiscal Year 2021 federal grant expenditures to the OSC on its Exhibit K1. The purpose of our audit work was also to evaluate the Department?s internal controls over the financial reporting to the USDA regarding the P-EBT program. As part of our audit testwork, we compared amounts reported by the Department for direct and subrecipient federal expenditures on its Fiscal Year 2021 Exhibit K1 to the underlying financial records in CORE for the Grant and P-EBT federal programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the Exhibit K1 preparation, including supervisory reviews. We also reviewed 4 out of 12 Fiscal Year 2021 monthly submissions to the USDA for the FNS-292-B reports and compared federal expenditure amounts reported by the Department to the underlying financial records in CORE. How were the results of the audit work measured? The OSC is required to present the State?s SEFA in accordance with the federal requirements of the Uniform Guidance to show the State?s expenditures of federal awards during the fiscal year. Federal regulations [2 CFR 200.38(b)] define a federal award as, ?The instrument setting forth the terms and conditions. The instrument is the grant agreement, cooperative agreement, other agreement for assistance?? Federal regulations [2 CFR 200.510(b)(3) and (4)] require that the SEFA must show both total federal awards expended for each individual federal program, the Assistance Listing Number, and the total amount passed through to subrecipients for each federal program. In order to prepare the SEFA, the OSC requires state departments to submit an Exhibit K1 to report expenditures, receipts, and receivables for each federal grant program administered by the Department during the fiscal year. The OSC?s exhibit instructions include guidelines for completing the Exhibit K1, including defining ?direct and indirect expenditures? as ?all monetary and non-monetary direct and indirect Federal award expenditures,? and ?pass-through expenditures? as ?the amount of all monetary and non-monetary Federal award amounts passed through to a subrecipient.? For the Department?s Grant federal program, subrecipients consist of counties, school districts, and health centers. State Fiscal Rule 1-2, Internal Controls, requires that state departments ?implement internal accounting and administrative controls that reasonably ensure that financial transactions are accurate, reliable, conform to state fiscal rules, and reflect the underlying realities of the accounting transaction (substance rather than form).? Federal regulations [7 CFR 274.4] require the Department to submit an FNS-292-B report in the format prescribed by the USDA with information detailing the P-EBT federal benefit payments. The Department is required to support the information in the report with its underlying records. The FNS-292-B report is identified as a required report within the Department?s State Plan that is approved by the USDA. What problems did the audit work identify? The Department overstated $63.5 million in P-EBT expenditures on its June 2021 FNS-292-B report to USDA that was submitted on August 30, 2021, as well as on the Department?s Exhibit K1 for Fiscal Year 2021. The Department subsequently identified that the FNS-292-B report was misstated and updated and resubmitted the report on September 28, 2021, approximately one month later. The Department, however, did not update its Exhibit K1 for Fiscal Year 2021 to correct the error, because the program staff did not notify the accounting team of the misstatement and need for Exhibit K1 correction. Based on our audit testwork, we also determined that the Department misreported $8.7 million in the Grant?s expenditures as subrecipient, rather than direct, expenditures on its Exhibit K1. Why did these problems occur? The P-EBT program staff did not notify the Department?s accounting team, who prepares the Exhibit K1, of a revision to the FNS-292-B report. The P-EBT program staff prepared the reconciliation of the CBMS summary report to the CFMS P-EBT benefits issued report and identified a variance. The variance was eventually resolved and the P-EBT program staff resubmitted the FNS-292-B report to the USDA; however P-EBT program staff did not communicate this error to the Department?s accounting team. As a result, the accounting team was unaware of the revision and, therefore, did not update the Exhibit K1 to reflect the reduction in federal expenditures. Overall, the Department did not have adequate internal controls, such as an appropriate supervisory review process or adequate communication plan, in place for Fiscal Year 2021 to ensure that the FNS-292-B report was prepared accurately, that the Exhibit K1 was completed in accordance with the instructions provided by the OSC, and that the FNS-292-B and Exhibit K1 were reviewed for accuracy and compared to the underlying data. For the Grant program error, Department staff indicated that these funds were incorrectly identified and coded as subrecipient expenditures in CORE, which caused them to be incorrectly reported as such on the Exhibit K1. When the expenditures were initially posted in CORE, they were not adequately reviewed to determine if they were subrecipient or direct expenditures. Why do these problems matter? By failing to properly report grant expenditures to the federal government and the OSC, who ultimately then fails to properly report expenditures to the federal government on the State?s SEFA, the Department is out of compliance with federal and state reporting requirements and risks federal sanctions. In addition, because the error resulted in the Department misstating its federal expenditure results for the fiscal year, federal staff and taxpayers have an incorrect or unreliable picture of the P-EBT grant?s overall status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-060 The Department of Human Services (Department) should strengthen its internal controls over the preparation of federal reports and the Exhibit K1, Schedule of Federal Assistance, by: A. Strengthening its internal controls over its monthly Pandemic Electronic Benefit Transfer Food Benefits (P-EBT) reporting to ensure its reporting is accurate and goes through supervisory review. B. Improving communication between program and accounting staff to ensure the Exhibit K1 is accurately updated when errors in federal reporting are identified and resolved. C. Improving the supervisory review process over the Exhibit K1 and the federal expenditures entered in the Colorado Operations Resource Engine (CORE), the state?s accounting system, to ensure expenditures are coded correctly as direct or subrecipient expenditures and that, ultimately, the Exhibit K1 is accurate and complete. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees to enhance internal controls over monthly P-EBT reporting to better ensure accuracy. P-EBT is a new program derived from pandemic funding. Being a new program with a lack of federal guidance at implementation, and urgency to get the funds disbursed program staff had to learn about the nuances of the program and the reporting requirements as it was being implemented. During implementation we recognized that there are some inherent differences with P-EBT from other benefit programs which caused processes to have to be adjusted slightly. Additionally, timing of federal report filing for the P-EBT program is not in synch with our other processes and associated federal reporting requirements and deadlines. This makes it impossible to ensure reconciliation procedures are performed before filing occurs, which is one of our typical internal controls. As a compensating internal control CDHS will ensure that supervisory review processes are performed over P-EBT reporting, and that P-EBT reporting is reconciled to other sources (CBMS and CFMS) as soon as possible after reporting is available. If changes are discovered CDHS will make adjustments to filed P-EBT reports as needed based on reconciliation findings, and communicate changes to necessary parties. B. Agree Implementation Date: July 2022 CDHS will work to ensure better coordination between program activities and the accounting section relating to federal reporting changes. Accounting will iterate the importance of timely informing the accounting staff when changes are made to program filed federal reports. This message will be delivered in periodic fiscal meetings and identified on the closing calendar. The P-EBT program will ensure that corrections are communicated to accounting on any updates completed on the FNS-292-B report upon discovery, and no later than 30 days after the reporting period. C. Agree Implementation Date: July 2022 CDHS will ensure that review and approval processes are occurring as designed at various points in the process leading up to entry into CORE. As part of the Requisition (RQS) approval process program and accounting staff independently approve that the correct direct or subrecipient object code is used. These approved RQS transactions are then transitioned into encumbrance documents that drive which object code future expenditures will be booked to. For CCDF transactions related to this finding, both the OEC and Accounting teams inadvertently approved an incorrect object code in 4 RQS's. Staffing shortages coupled with a large increase in workload related to pandemic funding contributed to this oversight. To correct OEC and Accounting will train new staff, periodically familiarize themselves with the appropriate object codes, and perform quality assurance review over object codes before applying approval in CORE. The K1 is compiled from balances derived from expenditure data recorded in CORE. The compilation of the K1 relies on the fact that expenditure balances are accurate, and that prior reviews and approvals of individual transactions have occurred as designed. The K1 currently goes through various levels of review focusing on balance level validation coupled with analytical procedures. To enhance the review process, CDHS will ensure analytical procedures include line level expenditure comparison at the direct and subrecipient levels.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department in the previous year and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-059 Federal Funding Accountability and Transparency Act The Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a Federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? The Department is required to file FFATA reports through the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Once the Department submits a report to FSRS, the public can view certain information from the report, including the subrecipient?s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department?s name, and the Department?s grant award identification number. The Department?s required FFATA reports for Fiscal Year 2021 included information on the Low-Income Home Energy Assistance (LIHEAP), COVID-19 ? Low-Income Home Energy Assistance [ALN 93.568]; the Child Care and Development Fund (CCDF) Cluster, consisting of the Child Care and Development Block Grant [ALN 93.575], and Child Care Mandatory and Matching Funds of the Child Care and Development Fund [ALN 93.596]; and the Block Grant for Prevention and Treatment of Substance Abuse (Substance Abuse), COVID-19 ? Block Grant for Prevention and Treatment of Substance Abuse [ALN 93.959]. FFATA reporting was required for the Department because the Department passed through funds to one or more subrecipients for each of the three programs in excess of $30,000, as follows: LIHEAP funds to one subrecipient, CCDF funds to nine subrecipients, and Substance Abuse funds to seven subrecipients for Fiscal Year 2021. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to evaluate the Department?s internal controls over the FFATA reporting and to determine whether the Department correctly reported its subawards to the FSRS during Fiscal Year 2021. Based on our audit testwork, we reviewed the Department?s subawards and related federal expenditures in Fiscal Year 2021 to determine if there was FFATA reporting that was completed within the month following the month the subaward was made, as required. We compared amounts reported by the Department for subawards in FSRS to the underlying financial records reported in the Colorado Operations Resource Engine (CORE), the state?s accounting system, for the LIHEAP, CCDF, and Substance Abuse programs and inquired about any differences. In addition, we made inquiries of Department staff regarding its internal control processes over the FFATA reporting, including supervisory reviews. We reviewed the following number of subrecipient samples within each program for their internal control over compliance and compliance with FFATA reporting standards: LIHEAP had one sample, CCDF had five samples, and Substance Abuse had five samples. We reviewed the FFATA reports within FSRS for each subrecipient selected for testing to determine if the FFATA report was made in a timely manner in accordance with federal regulations and contained all of the required key data elements. How were the results of the audit work measured? In accordance with federal regulations [2 CFR 170], direct recipients of grants are required to report subawards of $30,000 or more to FSRS by the end of the month following the month in which the award was made. If the Department makes additional subawards greater than or equal to $30,000 under that same subaward at a later date or makes a supplemental award that increases an existing award to greater than or equal to $30,000, it must file additional FFATA reports to reflect the new or amended subaward. If the subaward does not change, no additional reporting is required. The FFATA reports are required to include the following key data elements: subrecipient name, subrecipient DUNS number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, and subrecipient names and compensation of highly compensated officers. The Department?s program staff are responsible for understanding FFATA reporting requirements related to their programs, and providing key data elements for subrecipients at the point that funds are obligated. When program staff determine that the Department is making a subaward that requires FFATA reporting, program staff are required to report these key data elements in eClearance, an approval workflow and document depository system utilized by the Department in their purchasing process. Guidance for the FFATA reporting is included within the Department?s FFATA Quick Reference Guide that is made available to the program staff. Program staff enter the subaward information into eClearance via an online form called a Requisition eForm (eForm), which goes through an approval process and is then routed to the Department?s Purchasing and Contracts unit to process the purchase request that translates into an obligation of an award for subrecipients. Once the eForm is completed processing in eClearance, it is archived in the system and an automated query is run by the Department?s Business Technology Unit to export this data and it is automatically emailed to the Compliance Accounting team on a daily basis. Each day, the Department?s compliance accountant compiles the subaward data emailed to them that originated from eClearance into a daily report. At the end of the month, the compliance accountant combines the daily reports into a monthly summary and compares the monthly summary report to the daily reports to verify the summary report?s accuracy. The compliance accountant uses the information summarized within the monthly report to input the required FFATA information into FSRS, which ultimately is submitted as the required monthly FFATA report. What problems did the audit work identify? Based on our audit testwork, we determined that the Department did not report its subawards in FSRS for any of the three federal grant programs we tested for Fiscal Year 2021: the LIHEAP, CCDF, and Substance Abuse programs. In total, for the three programs, the Department failed to report subawards totaling $5.77 million (approximately $3.04 million for LIHEAP, approximately $861 thousand for CCDF, and approximately $1.87 million for Substance Abuse). The following tables summarize the results of our testing and groups each exception within the following categories: subaward not reported, report not timely, subaward amount incorrect, and subaward missing key elements. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Why did these problems occur? The Department does not have adequate internal controls over the FFATA reporting. Specifically, the Department has not validated the automated process to compile the data needed for the FFATA reports. In addition, the Department has not implemented a supervisory review process of the final FFATA report data that is used to submit the FFATA report via FSRS. We determined that automated reports generated did not include the full population of data needed to compile the FFATA reports. Based on test work, we found that program staff entered key data elements needed for FFATA reporting correctly into the eForm during the purchasing process, and that accounting staff used the data provided in the reports received to complete the FFATA reporting in FSRS. However, the data exported from eClearance and sent to accounting to compile the FFATA reports did not contain all of the population needed for reporting. Thus, accounting was using data that was not complete in the FFATA reporting to FSRS, but was unaware that the data was not complete. Further, when there was incomplete information in the data received, the compliance accountant failed to follow up with the various program staff to obtain the necessary information and input it into and submit it through FSRS. Why do these problems matter? By failing to properly report subawards to FSRS, the Department is out of compliance with federal reporting requirements and risks federal sanctions. In addition, information submitted via the FSRS is made publicly available at https://www.usaspending.gov/search; excluding the information could be misleading to the public and fails to meet the federal intent of transparency for federal program spending. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-059 The Department of Human Service (Department) should strengthen its internal controls over the Federal Funding Accountability and Transparency Act (Transparency Act or FFATA) reporting by: A. Correcting the automated reporting process from eClearance to ensure that data compiled for Transparency Act reporting contains all relevant data. B. Developing and implementing procedures to validate that data derived from eClearance reports and ultimately used to compile Transparency Act reporting is complete and accurate by reviewing the population from an alternate source, such as the Colorado Operations Resource Engine. C. Improving the Department?s supervisory review process to provide for a complete and thorough review of the final FFATA report data that the Department will report within the Federal Funding Accountability and Transparency Act Subaward Reporting System. This process should include taking steps to ensure the compliance accountant follows up with the program staff if the necessary information is not input into eClearance, so that it can be obtained and reported accurately and timely. Response Department of Human Services A. Agree Implementation Date: July 2022 CDHS agrees that it needs to it needs to correct the automated reporting process from the eClearance system used to gather data needed for our FFATA reporting. The department thought that the reports obtained from eClearance were complete and relied on them as the basis of our reporting. Upon investigation we found that an internal process change enacted during the implementation of another system at the start of the pandemic was the cause of the data discrepancy. This occurred because the new system made the routing in eClearance after a certain point unnecessary for internal processing so this stopped. It was unkown that this further routing to archive files in eClearance was the trigger for eClearance to push out FFATA report data. Since the department has been able to identify the cause we are able to immediately remedy the problem and ensure that all processes are in sync to ensure accurate and complete FFATA data is contained in automated reporting processes. The department will catch up on FFATA reporting that was missed during this time frame. B. Agree Implementation Date: July 2022 The department agrees that it needs to implement procedures to validate that data derived from automated processes used as a basis for FFATA reporting should be periodically validated against another data source. To do this the department will create and implement procedures to use CORE reports of encumbrance data referencing subrecipient object codes and tie this to information received from the automated eClearance report. Doing this will validate that the data provided from eClearance is a complete listing of all FFATA reportable subrecipient awards, and thus is a valid source to base FFATA reporting on. This will also help us monitor the process in case any future inadvertent changes are made to processes that could cause data validity issues. C. Agree Implementation Date: July 2022 CDHS agrees that a supervisory review is needed over the FFATA reporting process in order to ensure more consistency, accuracy and timeliness in reporting processes and standards. The department is currently developing procedures that will allow for more oversight of the FFATA reporting through supervisory reviews and cross training staff on FFATA reporting duties. Supervisory reviews will help ensure that reporting is completed in line with reporting procedures and timeframes and can be a second set of eyes to ensure that information appears accurate and adds analytical judgement value (example - a supervisor might see that July typically has high volume, but this July volume is low, why). In addition, the department is taking this opportunity to cross train other staff on the process so that more individuals can be involved which leads to more transparency over processes allowing various individuals to notice if something isn't working as designed. These new procedures are being developed and implemented as the department catches up on reporting subrecipient awards that were missed since the automated process stopped working.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.
Finding 2022-077 Cash Management The Department operates on a reimbursement basis with the federal government for a portion of its federal grant programs, expending state dollars for the federal programs prior to requesting reimbursement for the appropriate federal share. The reimbursement process is governed by the Cash Management Improvement Act of 1990 (CMIA) and 31 CFR Part 205 Part B, Rules and Procedures for Efficient Federal-State Funds Transfers (Transfer Rules), which prescribe specific methods and timeframes for drawing down federal funds. The purpose of CMIA and the Transfer Rules is to minimize the time period from when the State makes an expenditure for a federal program and when the federal reimbursement is received, so that neither the State nor the federal government incurs a loss of interest on the funds. This timeframe for requesting reimbursement is referred to as the ?draw pattern.? Under CMIA, the State must enter into a formal agreement, referred to as the ?Treasury-State Agreement,? (Agreement) with the U.S. Department of the Treasury to establish reimbursement schedules for selected federal programs that have been awarded to the State. In Colorado, the Department of Treasury (Treasury), on behalf of all departments in the State, enters into the Agreement with the U.S. Department of the Treasury. For Fiscal Year 2022, Colorado?s CMIA Agreement included 10 programs administered by various state agencies. The Department has one federal program that is included in the Agreement. Specifically, the Department?s Highway Planning and Construction [ALN 20.205] is included in this Agreement. During Fiscal Year 2022, the Department expended $510.0 million in Highway Planning and Construction funds. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over its cash draw process and to determine whether the Department was in compliance with CMIA for the Highway Planning and Construction program during Fiscal Year 2022. As part of our audit, we tested the Department?s internal controls and compliance over its cash management process for the Highway Planning and Construction program. We tested a sample of 25 expenditures and the related draws the Department made for the program during Fiscal Year 2022 and calculated the number of days between each sampled expenditure and related federal draw and compared our results to the CMIA requirements in place at the time the draw occurred. Within our sample, draws for nine of the expenditures were performed prior to October 13, when the 4-day draw pattern was in place; draws for 16 expenditures were performed after October 13 on the 5-day pattern. How were the results of the audit work measured? Under CMIA rules, draw patterns should be interest-neutral between the State?s expenditure and receipt of federal funds. We compared the results of our testwork against the regulations within the CMIA for payments clearing the State?s bank that should result in the receipt of the federal reimbursements within specific timeframe as noted below: The Agreement in place at the beginning of Fiscal Year 2022 specified a 4-day draw pattern for Highway Planning and Construction. Therefore, the time between when the Department?s expenditure was made and when federal funds were received should have been 4 days. In October 2021, however, the Department requested the draw pattern be changed from 4 days to 5 days. This request was approved by the U.S. Department of the Treasury on October 13, 2021. What problem did the audit work identify? We determined that the Department did not comply with the approved cash management draw patterns contained in the Agreements for the Highway Planning and Construction program for Fiscal Year 2022. Overall, 8 of the 25 draws (32 percent) were not made in accordance with the applicable Agreement, as follows: ? We noted that 6 of the 16 draws (38 percent) were not performed on the 5-day approved draw pattern in place after October 13, 2021 and instead, were performed on a 4-day draw pattern. ? We also noted that 2 of the 9 draws (22 percent) sampled from the first Agreement were not completed in accordance with the 4-day approved draw pattern in place prior to October 13, 2021 and, instead, were performed on a 5-day draw pattern. Why did this problem occur? The Department did not have appropriate internal controls over its federal grant cash management process during Fiscal Year 2022. Specifically, the Department conducted an analysis on the draw pattern for Highway Planning and Construction in early Fiscal Year 2022 and determined that its draws were occurring within 5 rather than 4 days, so the Department requested and received approval from the U.S. Department of the Treasury to change from a 4 day draw pattern to a 5-day draw pattern; however, the Department did not properly communicate the change in the Agreement for the Highway Planning and Construction?s draw pattern to the primary individuals responsible for preparing and approving the draws. As a result, the billing procedure was not updated to reflect the change in draw pattern, which led to the draws being out of compliance with the approved CMIA draw pattern. Why does this problem matter? The timing of draws for requesting federal funds impacts the interest neutral requirements under the CMIA. By drawing funds early, the Department creates a risk that the State my ultimately owe interest charges to the federal government. Further, the Department?s lack of strong cash management internal controls may result in delays in the identification of expenditures for which reimbursement has not been requested and therefore, funds upon which the State has lost interest. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-077 The Department Transportation (Department) should strengthen its internal controls and processes over and ensure that it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by: A. Ensuring that Department personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern applicable for the current fiscal year, including any federally-approved changes that occur during the year. B. Establishing procedures that specify draw request dates in relation to Program expenditures that ensure required draw patterns are met. Response Colorado Department of Transportation A. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with the federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by ensuring personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern for the applicable fiscal year in which the draws occur including federally-approved changes during the year. Personnel responsible for the draw will review the approved draw letter from the State Treasury with a secondary verification on the Federal Site, www.fiscal.treasury.gov/cmia/resources-treasury-state-agreements.hmtl for the specified timeframe before conducting the draw. B. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by establishing and maintaining formal procedures that specify the draw request dates in relation to the program expenditures to ensure required draw patterns are met. The process to implement changes to the cash draw pattern will be added to the draw procedure by March 2023.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-074 Coronavirus Relief Funds?Property Owner Preservation Program The President of the United States issued the Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak on March 13, 2020 and Congress subsequently passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided emergency assistance in response to the COVID-19 pandemic and established the Coronavirus Relief Fund (CRF) program, which provided payments to state, local, and tribal governments navigating the impact of COVID-19. The State of Colorado received approximately $1.67 billion of CRF funds in April 2020, and the Governor issued Executive Order 2020-070 (Executive Order) in May 2020 to disburse the CRF funds to numerous state departments and agencies. In June 2020, the State passed House Bill 20-1410, concerning assistance for individuals facing a housing-related hardship due to the COVID-19 pandemic, and transferred approximately $19.7 million of CRF funds to the Housing Development Grant Fund to provide such assistance. This bill includes a provision for the Property Owners Preservation Program (Program), which was managed by the Department, to allow landlords and property owners to seek rental assistance on behalf of their tenants who experienced a financial need on or after March 1, 2020, due to the effects of the COVID-19 pandemic. In Fiscal Year 2021, the Department expended the $19.7 million of the CRF funds it received in April 2020, for the Property Owners Preservation Program (POPP). What was the purpose of our audit work and what work was performed? The purpose of the audit work was to follow up on our prior year audit recommendation, which recommended that the Department implement internal controls to ensure it complies with federal regulations for any new federal funds it receives, such as the CRF. The Department planned to implement this recommendation by June 2022. During the Fiscal Year 2022 audit, we inquired with the Department on the implementation status of this recommendation. We also obtained and reviewed the Department?s Exhibit K3, Schedule of Prior Year Audit Recommendation Status, which it was required to submit to the State Controller. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Under House Bill 20-1410, the Housing Development Grant Fund was appropriated $19,650,000 of funds from the CRF for the purpose of providing individuals and households who, on or after March 1, 2020, experienced financial need due to the COVID-19 pandemic or effects of the COVID-19 pandemic, with rental assistance. The House Bill also provided guidance on how to access additional housing services. The Department developed and issued a new application for the POPP to address the criteria for experiencing direct or indirect impacts of the COVID-19 pandemic. ? Federal regulations [2 CFR 200.303] require that the Department, as a federal grant recipient, ?establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.? Furthermore, in accordance with 2 CFR part 200, subpart E, the Department must determine that amounts paid with federal grant funds were necessary and reasonable for the performance of the federal award and are adequately documented. Therefore, the Department must maintain appropriate supporting documentation to verify costs were properly charged to the federal grants. ? The Office of the State Controller (OSC) requires each department that had a prior audit recommendation that was reported in the prior fiscal year?s Office of the State Auditor Statewide audit to complete an Exhibit K3 to report the Department?s determination of the status of their recommendation as of June 30. Possible status descriptions include ?Implemented,? ?Partially Implemented,? ?Not Implemented,? and ?No Longer Valid.? The Department must provide an explanation for each recommendation status. What problem did the audit work identify? We determined that the Department did not implement the prior year?s recommendation by its planned implementation date of June 2022. Specifically, during prior year audit work, we found that the Department could not provide appropriate underlying support for 4 of the 60 transactions (7 percent) we tested that were charged as CRF expenditures for the Program; as a result, we recommended that the Department strengthen its internal controls over federal grant spending, including that it develop and implement policies and procedures with a requirement that Department staff review and maintain records supporting its expenditures charged to federal programs. When we inquired of the Department about what steps it had taken to implement the recommendation, Department staff indicated that they did not implement the recommendation during Fiscal Year 2022. Why did this problem occur? The Department reported on its Exhibit K3 that it determined that the original implementation date of June 2022 that the Department provided as its planned implementation date for our Fiscal Year 2021 recommendation was unrealistic, given the Department?s staffing challenges. Specifically, the Department indicated that it was not able to allocate sufficient time to develop and implement the recommended policy and procedure guidance by the end of Fiscal Year 2022. Why does this problem matter? The Department?s lack of sufficient internal controls over the maintenance of complete and accurate records for the federal CRF monies could result in inadequate documentation to support its payments and ultimately, disallowed federal costs and potential sanctions. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-074 The Department of Local Affairs (Department) should implement internal controls to ensure it complies with federal regulations, specifically for activities allowed or unallowed and allowable costs/cost principles, for any new federal funds it receives, such as the Coronavirus Relief Fund. This should include developing and implementing policies and procedures that include a requirement that Department staff review and maintain records supporting the expenditures charged to the federal program. Response Department of Local Affairs Agree Implementation Date: September 2022 The Division of Housing within the Department of Local Affairs has implemented internal controls to ensure compliance with federal regulations for new federal funds, including the development of a standard procedure and the requirement that Department staff review and maintain records supporting the expenditures charged to new federal programs.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-049 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-036 CHILDREN?S BASIC HEALTH PLAN ELIGIBILITY AND IMPROPER PAYMENTS The Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits through CBHP. Individuals and families apply for CBHP eligibility at their local county departments of human/social services or at MA sites. The local counties and MA sites are responsible for administering the application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. Once approved for eligibility, the beneficiary is required to pay a CBHP annual enrollment fee (enrollment fee) to the Department, based on the number of people in the family and the family?s income. Eligibility data in CBMS feeds into Colorado interChange, which issues payments to CBHP providers. For CBHP, the Department contracts with managed-care entities, which are groups or organizations of medical service providers that serve CBHP beneficiaries to provide capitation payments to CBHP providers. These capitation payments are paid regardless of whether the providers serve beneficiaries during the month or not. Colorado interChange is programmed to pay capitation payments only on behalf of beneficiaries that are deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the CBHP eligibility determination process, as well as the capitation payment process, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. CMS suspended rules and provided waivers related to CBHP eligibility requirements in response to the COVID-19 PHE; as a result, our testwork was split into two periods for testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. We performed the following testwork: REVIEW OF CBHP ELIGIBILITY CASE FILES ? We reviewed the Department?s CBHP eligibility internal controls during Fiscal Year 2020. In addition, we tested a random sample of 25 beneficiaries who were deemed eligible for CBHP benefits and had capitation payments made on their behalf to a CBHP provider between July 1, 2019, and February 29, 2020, to determine whether those beneficiaries? eligibility determinations were appropriate. If beneficiaries were determined to be ineligible through our testwork, we performed further testing to determine whether the beneficiaries had additional payments made on their behalf from March 2020 through June 2020, and whether the individuals were eligible for those payments. Our testing included a review of the related supporting documentation, including the case files; CBMS data fields related to eligibility determination/redetermination; and CBHP payment information in Colorado interChange. We performed testing to determine whether the Department ensured that local county and MA site caseworkers obtained, verified, and maintained in the case files the required documents supporting eligibility determinations and annual redeterminations; correctly entered eligibility data into CBMS; and properly assessed and collected enrollment fees. ? Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to CBHP eligibility. During that audit, we recommended that the Department strengthen its internal controls over CBHP eligibility determinations by providing adequate training to caseworkers, monitoring local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. We also recommended that the Department ensure it disallows benefits if a beneficiary becomes ineligible and if the enrollment fee is not paid prior to enrollment in the program. DATA ANALYSES OF CBHP BENEFICIARIES ? INELIGIBLE CBHP BENEFICIARIES. During our audit, we obtained eligibility data for all individuals who were deemed by the Department, a local county, or an MA site to be eligible for CBHP benefits in Colorado interChange at any point during the period of July 1, 2019, through February 29, 2020. We also obtained data for all CBHP capitation payments made through Colorado interChange by the Department from July 1, 2019, through February 29, 2020. This data included a total of $124.7 million in capitation payments made on behalf of 117,222 beneficiaries. We compared the eligibility data to the capitation payment data to identify any instances in which the Department made capitation payments to providers on behalf of beneficiaries who did not appear to be eligible for CBHP benefits. ? CBHP BENEFICIARIES 19 YEARS OR OLDER. Federal and state regulations require an individual to be less than 19 years of age to be eligible for CBHP benefits. To determine the Department?s compliance with these regulations, we further analyzed the list of all CBHP capitation payments made through Colorado interChange by the Department from July 1, 2019, through February 29, 2020. Specifically, we reviewed the beneficiaries? dates of birth in Colorado interChange to identify any capitation payments made on behalf of beneficiaries who appeared to be 19 years or older when the payments were made and, therefore, would not have been eligible for CBHP benefits. CBHP ELIGIBILITY MONITORING AND REVIEW We also inquired about the Department?s monitoring procedures over local counties and MA sites that were designed to ensure that eligibility determinations were made in accordance with federal and state regulations. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations for CBHP eligibility and made payments on behalf of ineligible beneficiaries during the fiscal year. The specific issues we identified through our analyses of CBHP eligibility data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY CASE FILE ISSUES In 16 of 25 case files tested (64 percent), we identified at least one error. These errors resulted in a total of 12 ineligible beneficiaries during all or part of Fiscal Year 2020, and total known questioned costs of $10,913, of which $8,449 was paid with federal grant funds; and total likely questioned costs of $3,805, of which $3,076 was paid with federal grant funds. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation.?? Federal regulation [45 CFR 75.516] further defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE and receiving benefits during this period. Although CMS guidance indicated that the Department should keep these beneficiaries enrolled until the end of the COVID-19 PHE, we are reporting the costs incurred for the 12 ineligible beneficiaries in our sample during the period of the COVID-19 PHE of March 1, 2020, through June 30, 2020, as likely questioned costs since the beneficiaries were inappropriately deemed eligible prior to the COVID-19 PHE and should not have been enrolled in CBHP. The following table outlines the types of issues we found. See Schedule of Findings and Questioned Costs for chart/table. The specific issues we identified and the breakdown of identified questioned costs are as follows: ? CBHP ANNUAL ENROLLMENT FEE NOT PAID. In 10 cases, the Department either did not assess the required enrollment fee or the fee was assessed but was never collected. Specifically: ? In seven cases, the Department did not assess an enrollment fee. ? In the remaining three cases, the Department assessed the enrollment fees but did not collect the required fees from the beneficiaries. Benefits were inappropriately paid on behalf of these 10 beneficiaries for all or part of Fiscal Year 2020. As a result, the Department was not in compliance with state regulations. These issues resulted in known questioned costs of $6,684 and likely questioned costs of $2,260. State regulations [10 CCR 2505-3, 310.1-310.2] require the Department to collect an annual enrollment fee from the beneficiary prior to enrollment in the CBHP. The actual fee is determined based on the number of eligible children within the family. Benefits should be denied if the annual enrollment fee is not paid prior to enrollment in the program. ? LACK OF INCOME VERIFICATION. In three cases, the caseworkers failed to verify income reported by the beneficiary as required by state regulations. In all three cases, the beneficiary reported income; however, the caseworker did not verify the reported income through an electronic data source, wage stubs, tax documents, or through the employer. These errors resulted in known questioned costs of $2,854 and likely questioned costs of $1,546. State regulations [10 CCR 2505-10, 8.100.4.B.1.c and 8.100.4.B.1.d] require the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. ? INCOME ISSUES. In one case, the beneficiary?s income information received by the local county or MA site was more than the income limit set within the state regulation; however, the beneficiary was deemed eligible in CBMS and Colorado interChange paid capitation payments on behalf of the beneficiary. As a result, the beneficiary incorrectly received CBHP benefits during the fiscal year. These errors resulted in known questioned costs of $1,375. In another case, the caseworker incorrectly calculated self-employment income for the beneficiary, resulting in lower income. No questioned costs were identified in this instance because the beneficiary?s actual income was still within guidelines. In order to be eligible for CBHP, state regulation [10 CCR 2505-3, 110.1.D] requires an individual to have a household income greater than 133 percent of, but not exceeding, 250 percent of the federal poverty level. ? MISSING CASE DOCUMENTATION. In five cases, the Department was unable to provide documentation necessary to support the CBHP eligibility determination, including documentation to support income, such as wage stubs; and documentation to support identity and citizenship, such as birth certificates; as required by federal regulations, as follows: ? In three cases, the Department could not provide supporting documentation used by the caseworker in CBMS to verify income at the time of eligibility determination. Specifically, in all three cases, the Department was unable to provide copies of the beneficiary?s wage stubs that were noted as the source document in CBMS. However, the Department subsequently provided a hand-written statement from the employer and electronic income information from another data source interfaced with CBMS that indicated income was under the federal income threshold, resulting in no questioned costs. ? In two different cases, to determine beneficiaries? eligibility, a birth certificate was identified as the source used to verify identity and/or citizenship within CBMS; however, the Department was unable to provide these birth certificates to support their identity and/or citizenship for eligibility determinations. In both cases, there was other corroborating documentation in the case file that indicated the beneficiaries were eligible; however, the Department did not appropriately maintain the support used to determine the beneficiaries? eligibility as required by federal regulation. These errors did not result in questioned costs. According to federal regulation [42 CFR 457.965], ?The State must include in each applicant?s record facts to support the State?s determination of the applicant?s eligibility for [Children?s Health Insurance Program].? State regulations [10 CCR 2505-3, 110.1.A, 110.1.B, and 110.1.C] require the Department to ensure a beneficiary is either less than 19 years of age or a pregnant woman and a citizen of the United States or an individual who is legally allowed to be in the country. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES We identified 53 ineligible beneficiaries through our data analyses of CBHP eligibility and capitation payment data from Colorado interChange for July 1, 2019, through February 29, 2020. The related overpayments resulted in known questioned costs of $158,413 for Fiscal Year 2020, of which $123,251 were paid with federal grant funds. The specific issues we found are discussed in more detail as follows. CBHP BENEFICIARIES NOT ON THE ELIGIBILITY LIST. We identified 39 beneficiaries who were not listed as eligible beneficiaries in the CBHP eligibility data that we received from the Department. However, these beneficiaries had CBHP capitation payments paid on their behalf through Colorado interChange during Fiscal Year 2020. We informed the Department of the issues we identified and provided the list of all 39 identified beneficiaries. Department staff performed their review and confirmed that 38 of the 39 beneficiaries were not eligible in CBMS at some point during Fiscal Year 2020, but showed as eligible in Colorado interChange during that timeframe. For the remaining beneficiary, CBMS and Colorado interChange noted the beneficiary as eligible when payments occurred in July 2019; however, the Department?s review later determined that the beneficiary was ineligible during July 2019 after the payments had already been made through Colorado interChange. As a result, all payments made during July 1, 2019, through February 29, 2020, for these 39 ineligible CBHP beneficiaries were improper payments as defined by federal regulations and, therefore, should be recovered in accordance with state and federal regulations. These payments resulted in known questioned costs of $76,924, of which $59,423 were paid with federal grant funds; and likely questioned costs of $14,345 for March 1, 2020, through June 30, 2020, of which $11,596 were paid with federal grant funds. According to federal regulation [42 CFR 431.958], any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments). Eligibility errors include ineligible individuals that were authorized as eligible when they received services [42 CFR 431.960 (d)(2)(i)]. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider....? Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to 1 year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to the Centers for Medicare and Medicaid Services (CMS) regardless of whether recover is made from the provider. CBHP BENEFICIARIES 19 YEARS OR OLDER. We identified $853,422 in capitation payments made on behalf of 168 beneficiaries who appeared to be 19 years or older at the time of the CBHP capitation payments and, therefore, would not have been eligible for CBHP benefits. These beneficiaries were identified based on their dates of birth and the dates of capitation payments made on their behalf in Colorado interChange. We selected a random sample of 17 of the 168 beneficiaries to test whether or not the beneficiaries were ineligible to receive CBHP benefits based on their age. Using information contained in both Colorado interChange and CBMS, we confirmed that 14 of the 17 tested (82 percent) were 19 years or older when they had capitation payments paid on their behalf and, thus, were ineligible for these payments made through Colorado interChange. For example, we noted that based on the information in CBMS, 10 of the beneficiaries had not been eligible for CBHP benefits since 2017 even though Colorado interChange showed the beneficiaries as eligible. One of these beneficiaries had passed away in 2017, but had payments made on their behalf through September 2019. The remaining three of the 17 beneficiaries we tested were under the age of 19 at the time of the payments, but had an incorrect date of birth in Colorado interChange and/or CBMS. In total, for the 14 beneficiaries, we identified known questioned costs of $81,489 for Fiscal Year 2020, of which $63,828 were paid with federal grant funds. Additionally, for the remaining 151 beneficiaries with an age of 19 years or older based on their date of birth in Colorado interChange, we identified likely questioned costs of $775,470 for payments made on their behalf after they turned 19, of which $611,762 were paid with federal funds for Fiscal Year 2020. Federal regulation [42 CFR 457.320] defines children as up to, but not including, the age of 19. In addition, state regulation [10 CCR 2505-3, 101.1.A.1] states that an individual must be less than 19 years of age to be eligible for CBHP. The CBHP state plan amendment [CO-20-0031] approved by CMS, waives the requirement during the COVID-19 PHE, except for circumstances described in 42 CFR 435.926(d)(1) that states, the Department has to terminate a child?s eligibility during a continuous eligibility period once the child attains the maximum age of 19 years. Department policy further clarifies that beneficiaries enrolled in CBHP must meet age requirements [HCPF PM 20-004]. The following table summarizes the eligibility issues we identified through our data analyses. See Schedule of FIndings and Questioned Costs for chart/table. ELIGIBILITY MONITORING ISSUES CBHP ELIGIBILITY QUALITY REVIEW REPORT. In addition, we identified problems with the Department?s monitoring of local counties and MA sites over CBHP eligibility determinations. Based on our inquiry, we found that the Department did not obtain any quarterly quality review reports from local counties and MA sites during Fiscal Year 2020, or monitor the local counties and MA sites through an alternative process. As a result, the Department did not monitor local counties and MA sites in accordance with federal regulations and Department procedures. Department procedures require local counties and MA sites to compile and submit the results of their own quality reviews of CBHP eligibility case files to the Department on a quarterly basis. In addition, local counties and MA sites that do not submit their quality review reports on a timely basis are subject to corrective action. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with Green Book, Paragraph 16.01, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that it complied with state and federal CBHP eligibility requirements and to ensure that CBHP capitation payments were appropriately paid only on behalf of eligible beneficiaries during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: CBHP ANNUAL ENROLLMENT FEE. CBMS was not programmed to calculate and assess the correct enrollment fee or disallow benefits if the enrollment fee was not paid prior to enrollment in the program. In addition, CBMS was not programmed to calculate and assess an enrollment fee when a beneficiary moves between programs, such as from other federal programs to CBHP. According to the Department, CBMS is programmed to only calculate and assess an enrollment fee at a beneficiary?s annual redetermination and does not assess a fee when beneficiaries move to CBHP in between annual redeterminations, as required by state regulations. CASEWORKER ERROR. Caseworkers did not ensure that they maintained the required documentation to support CBHP eligibility, such as citizenship and identity status; or obtained and verified beneficiary income. MONITORING AND REVIEWS. The Department reported that it discontinued its process of obtaining quarterly CBHP monitoring reports from local counties and MA sites during Fiscal Year 2020 because the process is not effective and it is creating a new oversight monitoring process; however, the Department did not implement an interim monitoring process to ensure compliance with federal regulations. SYSTEM INTERFACE ISSUES AND LACK OF RECONCILIATION PROCESS. CBMS failed to interface with Colorado interChange appropriately during Fiscal Year 2020 to update beneficiaries? eligibility information. As a result, some beneficiaries who were deemed ineligible for CBHP in CBMS were listed as eligible in Colorado interChange and capitation payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling CBHP beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure the information is consistent in both systems and the beneficiary is appropriately deemed either eligible or ineligible in accordance with federal and state regulations. The Department indicated that it developed a manual reconciliation process in October 2019 to correct the eligibility status of these beneficiaries from eligible to ineligible in Colorado interChange to stop any further payments. This manual reconciliation process, however, did not identify and stop all the overpayments to providers on behalf of ineligible beneficiaries noted in this audit. Additionally, the Department did not recover these overpayments as required by federal and state regulations. WHY DO THESE PROBLEMS MATTER? Inaccurate processing of case file information to determine eligibility can result in the local counties and MA sites granting CBHP benefits to ineligible individuals. Without maintaining the required documentation to support eligibility, the local counties, MA sites, and ultimately the State cannot substantiate that eligibility determinations and redeterminations for CBHP are accurate, which can result in benefits being paid on behalf of ineligible individuals. Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Because CBMS determines eligibility and Colorado interChange makes payments on behalf of other federal programs, system issues with CBMS and Colorado interChange could result in erroneous payments for other programs.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-041 Medicaid Eligibility?Social Security Numbers associated with Multiple State IDs Each beneficiary?s Medicaid application must contain specific information, including the beneficiary?s Social Security Number (SSN), a copy of their birth certificate, and support for their income, necessary for determining their Medicaid eligibility. The local counties and MA sites are responsible for administering the benefits application process, including entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. CBMS is a shared eligibility system between the Department and the Department of Human Services. As each beneficiary has one SSN, similarly, the State Identification Module (SIDMOD), which is managed by the Office of Information Technology (OIT), is designed to assign a unique State ID for each beneficiary. CBMS interfaces with Colorado interChange, the Department?s Medicaid claims payment system, on a daily basis to update eligibility information, such as a beneficiary?s eligibility status or termination of benefits in Colorado interChange. Colorado interChange uses this information to process and pay claims for services provided to eligible Medicaid beneficiaries. When a medical provider submits a claim to the Department, Colorado interChange checks the State ID and the date of birth, but not the SSN, submitted with the claim against the beneficiary?s information on file. If the State ID and the date of birth match an eligible beneficiary within Colorado interChange and the claim is otherwise appropriate, then the claim will be processed and paid through the system. The Department requires local counties or MA site caseworkers to call the OIT Service Desk to obtain approval for changing or updating an SSN in CBMS. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department made claims payments on behalf of beneficiaries with the same SSN but different State IDs, including assessing the Department?s progress in implementing our Fiscal Year 2019 recommendation related to this issue. At that time, we recommended that the Department improve its internal controls in this area to ensure that it complies with federal regulations regarding Medicaid eligibility. The Department agreed with the Fiscal Year 2019 recommendation and, during our Fiscal Year 2021 audit, reported that it had implemented this recommendation as of December 2020. As part of our testing, we reviewed the internal controls the Department had in place during Fiscal Year 2021 to identify any beneficiaries whose SSN is linked to more than one State ID in Colorado interChange. During our audit, we requested a list of all Medicaid claims that were submitted by providers and paid by the Department from December 1, 2020, through June 30, 2021, including the beneficiaries? names, SSNs, and State IDs. The Department provided a list that included approximately 924,000 beneficiaries who received benefits during that period. We analyzed this listing to identify any beneficiaries whose SSN was linked to more than one State ID, and to determine if any claims payments were made on behalf of those beneficiaries from December 2020 through June 2021. How were the results of the audit work measured? Federal regulation [42 CFR 435.910] states that the Department must require, as a condition of eligibility, that each individual (including children) seeking Medicaid services furnish a SSN. Federal regulation [42 CFR 435.914] further requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. Federal regulation [42 CFR 447.56(e)(2)] states that federal funding will not be provided for payments made by the Department to providers for services provided on behalf of individuals who are not eligible for Medicaid. Further, the Department is required by federal regulations to repay the federal government the federal share of any overpayments within one year. Specifically, pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to one year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS regardless of whether recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Under Paragraph 16.01 of the Green Book, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problem did the audit work identify? We determined that the Department has not fully implemented the prior audit recommendation. During our testing, we identified 102 unique SSNs that appeared to be inappropriately associated with more than one State ID; in total, the 102 SSNs were tied to 209 State IDs. This could indicate that the Department determined eligibility without a beneficiary furnishing the correct SSN and, as a result, made claims payments on behalf of ineligible beneficiaries or the SSNs could be valid, but with more than one State ID, a provider could submit and have a claim paid for the same services under both State IDs. Specifically, we found the following: ? For 62 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 129 different State IDs, where the State IDs appeared to be for different people based on the names and/or dates of birth. ? For 40 SSNs, the SSNs were tied to beneficiaries with more than one State ID, totaling 80 different State IDs, where the State IDs had the same name and date of birth. ? For 99 SSNs, each SSN was tied to two different State IDs in Colorado interChange. ? For three SSNs, each SSN was tied to more than two different State IDs in Colorado interChange. For example, in one of the three instances, there were five different State IDs associated with one invalid SSN. These issues affected a total of 209 Medicaid State IDs that had not been corrected as of June 2021, representing a total of $67,235 Medicaid claims paid through Colorado interChange from December 2020 through June 2021. We provided the list of SSNs and State IDs to the Department to research. The Department found that, as of the end of our audit in April 2022, 59 out of the 102 SSNs identified during the audit had been corrected by a caseworker, but 43 SSNs need to be corrected in CBMS. The Department reported that these 43 SSNs had been flagged through a system edit in CBMS implemented in December 2020; however, the SSNs had not yet been corrected because ?To merge or correct [the SSNs and State IDs] is a time intensive process and must be prioritized within the business process of the [local counties and] Medical Assistance sites.? Although the Department was able to determine which SSN and State ID discrepancies had been corrected in CBMS as of April 2022, the Department has not completed its research to determine which claims made in Colorado interChange were made on behalf of beneficiaries with a correct SSN, and whether the implemented system edit appropriately addresses the issues identified in both Fiscal Years 2019 and 2021. As of the end of the audit, the Department had not completed this research and we were unable to determine whether the payments were made on behalf of beneficiaries with a valid SSN at the time payments were made. Therefore, we consider all $67,235 of the payments to be known questioned costs; $37,786 of these costs were paid with federal grant funds. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements] (Uniform Guidance), is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? We have identified these questioned costs as known questioned costs that are further defined in Uniform Guidance [45 CFR 75.516] as questioned costs that are specifically identified by the auditor. Why did this problem occur? The Department did not have adequate internal controls in place during Fiscal Year 2021 to prevent or detect all instances of multiple State IDs associated with the same SSN in Colorado interChange and, as a result, could not ensure only eligible beneficiaries received Medicaid services. SIDMOD does not prevent several situations that can result in the same SSN with more than one State ID. For example, caseworkers could incorrectly input an SSN into CBMS or the SSN could be reported by the beneficiary incorrectly and, as a result, cause a new State ID to be created. There can also be instances when someone changes their name, such as when they get married, and apply for benefits prior to getting married and also after getting married, which could cause two State IDs to be created. If someone starts an application and does not finish the application and then restarts a new application at a later date, this can also cause two State IDs to be created. Further, when inputting multiple family members into the system, an input error of the SSN can occur with multiple family members with the same SSN, which would create multiple State IDs (one for each family member) with the same SSN. According to the Department, in order to implement the Fiscal Year 2019 recommendation, it implemented a system edit in CBMS in December 2020 that is designed to identify discrepancies in newly-entered or updated SSNs and State IDs in CBMS after that date and to then notify the caseworker so the caseworker can address the discrepancy; this edit was not designed to address SSN and State ID discrepancies that existed prior to December 2020. As a result, the system edit did not identify SSN and State ID discrepancies for claims made from December 2020 to June 2021 if those discrepancies existed prior to the implementation of the system edit in CBMS and the beneficiaries? information had not been updated in CBMS. For example, if a beneficiary had an incorrect SSN prior to the system edit and was, therefore, ineligible to receive Medicaid services, Colorado interChange would continue paying claims on behalf of the beneficiary until information was updated in CBMS and the beneficiary was determined to be ineligible for Medicaid. Because the system edit implemented in CBMS is only designed to detect and correct future SSN and State ID discrepancies, the Department has not fully addressed the issue of inappropriate claims payments that we identified in the prior audit recommendation. According to the Department, addressing SSN and State ID discrepancies that existed prior to December 2020 involves a manual process to identify, research, and resolve the discrepancies. The Department stated that a report to identify SSNs with multiple State IDs is being developed and is currently scheduled for deployment in June 2023. Furthermore, the Department has not established a monitoring process over caseworkers to ensure SSN and State ID discrepancies are addressed appropriately and in a timely manner. Why does this problem matter? Failing to institute appropriate controls over the processing of Medicaid eligibility can result in the counties and MA sites granting Medicaid benefits to ineligible individuals. As the state Medicaid agency, it is essential for the Department to ensure that Medicaid benefits are paid only for eligible beneficiaries. This includes ensuring that the Department has sufficient internal controls to address risks related to multiple State IDs associated with the same SSN. For example, without adequate controls in place to prevent multiple State IDs from being created, providers could erroneously or fraudulently submit duplicate claims under these State IDs for the same services, resulting in improper payments. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Recommendation 2021-041 See Schedule of Findings and Questioned Costs for chart/table The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid eligibility by: A. Researching the claims payments that were identified during our audit to determine whether the local counties or Medical Assistance sites had a valid Social Security Number (SSN) when determining eligibility, if payments were appropriate?in accordance with federal regulation at the time the payments were made?and recovering any payments made to providers on behalf of ineligible beneficiaries in accordance with federal regulations. B. Continuing to develop a report to identify SSNs associated with multiple State IDs and establishing and implementing written policies and procedures outlining how the Department will use the report to effectively monitor and correct SSN and State ID discrepancies. C. Implementing a process to monitor that caseworkers are addressing the Colorado Benefits Management System alerts related to SSN and State ID discrepancies appropriately and in a timely manner. Response Department of Health Care Policy and Financing A. Disagree The research required to identify the appropriateness of payments for 102 SSNs compared to the 1.6 million Coloradans the Department serves is administratively impractical and not an efficient use of limited state resources. Instead the Department will continue our existing proactive approach. Based on previous research, 92% of errors noted in the 2019 sample actually supplied a SSN or met exceptions criteria; therefore, payments were appropriate. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs, which is working since 58% of the SSNs had already been corrected through the existing process during the audit work. The Department could not agree to the questioned costs as the testing failed to determine which member case was incorrect. The OSA should have documented the incorrect case or identified which State IDs had not been merged through the existing process. The OSA pulled claims data (not Colorado Benefits Management System, or CBMS, cases) and did not identify if those claims were from newly entered cases or cases entered prior to December 2020. The auditor?s sample should have only included the cases impacted by the Department?s system change related to the original recommendation. Further, the Department cannot recover any payments from providers since this issue is not related to services provided. When a provider checks a member's eligibility on the day of service and finds the member eligible through the Department?s system, that provider is guaranteed payment if they render an authorized service. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or that we ?question? as appropriate. It is ultimately the Department?s responsibility to perform research over questioned costs to determine whether the payments were or were not appropriate and, working with CMS, whether the Department must refund the federal share of any overpayments to CMS, regardless of whether the Department recovers the payments from the providers. B. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. The Department will develop and implement policies and procedures outlining how the report will be used to effectively monitor and correct SSN and State ID discrepancies. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs. C. Agree Implementation Date: June 2023 The Department will continue our existing proactive approach to minimize this issue. The resolution of a SSN discrepancy is addressed through manual intervention by county eligibility technicians when identified through the system edit implemented in December 2020. The Department will continue the existing process to address duplicate SSNs. The Department has already made significant progress to monitor CBMS through the use of CBMS monitoring dashboards. These dashboards allow the Department to monitor and perform daily analysis. The Department meets bi-weekly to discuss findings and next steps to resolve any issues identified through the dashboard. These dashboards are being implemented over time as areas of improvements are identified. As part of the Department's continual improvement strategy, SSN discrepancy reports are included in the next implementation phase of the monitoring dashboards scheduled for June 2023. Once that work is complete, the Department will send updated written guidance to our county and medical assistance sites on how to use system edits, reports, and dashboards to resolve duplicate SSNs appropriately and in a timely manner.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-047 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-034 MEDICAID CONTROLS OVER ELIGIBILITY DETERMINATIONS Individuals and families seeking medical benefits through Medicaid must apply and provide certain information to caseworkers at their local county or an MA site, which collects required documentation for determining the applicants? eligibility. Such documentation includes the applicants? birth certificates, support for income, and the value of resources, such as wage stubs and bank account balances. Caseworkers enter the applicant-provided data into CBMS, which contains system checks for determining the applicants? eligibility to receive Medicaid benefits. These system checks include calculating and verifying income and resources for the applicants, as well as assessing and collecting fees for benefits, such as buy-in premiums. For example, CBMS will mark an applicant?s eligibility as fail if the reported income or resources exceed specific limits that are set by federal and state regulations. The Department is responsible for monitoring the local counties? and MA sites? administration of Medicaid to ensure eligibility is determined in accordance with federal and state regulations. Medicaid applicants may be eligible for retroactive eligibility, which allows new Medicaid applicants to receive coverage for up to 3 months prior to the date of one?s application. As long as the individual meets Medicaid?s eligibility requirements in the 3 months preceding their application, the Department will retroactively pay Medicaid covered expenses that individuals incurred during that timeframe. Without retroactive eligibility, benefits for Medicaid eligible individuals begin on the date the application was received by the local county or MA site. As an example, if an individual has medical expenses in March, applies for Medicaid in June, and the individual has met the eligibility requirements for 3 months preceding their application, then any unpaid Medicaid covered expenses for March, April, and May are paid by Medicaid. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services they render to Medicaid beneficiaries. The Department pays Medicaid providers through two methods: (1) directly through fee-for-service (FFS) payments for specific services rendered or (2) indirectly through monthly fixed amounts known as capitation payments that are paid to managed care entities, who contract with providers for services. The monthly capitation payments are paid every month on behalf of beneficiaries regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the Medicaid eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2020. We performed testing on a statistical sample of 125 case files related to beneficiaries who (1) were deemed eligible for Medicaid during Fiscal Year 2020 and (2) had a payment made on their behalf to a Medicaid provider between July 1, 2019, and February 29, 2020. The purpose of our testing was to determine whether the beneficiaries were appropriately determined to be eligible for Medicaid during the time they received services within this period. This audit period was selected to accommodate changes that were made to federal Medicaid eligibility requirements in March 2020 due to the COVID-19 PHE. Our testing involved reviewing Medicaid case files, CBMS data fields, and supporting documentation related to eligibility determinations and redeterminations, as well as Medicaid payment information in Colorado interChange. For each beneficiary, we determined whether the Department ensured that local county and MA site caseworkers obtained and maintained required documents supporting eligibility determinations and redeterminations, and correctly entered eligibility data into CBMS. Additionally, for each sampled beneficiary, we determined whether CBMS showed the correct income and resources, the beneficiary was enrolled in the appropriate Medicaid program, buy-in premiums were assessed, and payments were not made after eligibility had ended during Fiscal Year 2020. We also inquired about the Department?s monitoring procedures over local counties and MA sites to ensure eligibility is determined in accordance with federal and state regulations. Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to Medicaid eligibility. Based on the results of that audit, we recommended that the Department strengthen its internal controls over Medicaid by providing adequate training, monitoring the local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. STATISTICAL SAMPLING METHODOLOGY We selected a statistical sample of Medicaid beneficiaries for our review of their case files in a manner that?if we found errors?would allow us to estimate the total number of beneficiaries who were improperly deemed eligible, as well as the resulting dollar amount of Medicaid benefit payments that were improperly paid during the audit period of July 1, 2019, through February 29, 2020. We designed our sampling methodology and sample size to support statistical projections of our testing results to the population of all beneficiaries for whom payments were made during the audit period. Our methodology included the following procedures: ? We requested and received from the Department a listing of all Medicaid FFS and capitation payments with a date of service during the audit period. The data set included State identification numbers (ID), which are unique to each beneficiary. ? We summarized all Medicaid payments made during the audit period by ID and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in a population of 1,386,220 unique IDs that had a total of $5,408,339,948 in payments made on their behalf during the audit period. ? We used a stratified random sample, as shown in the following table, consisting of six strata defined by the total amount of payments for each unique ID. We selected random samples from each strata for a total of 125 IDs that had benefit payments totaling $3,127,704. The strata and sample sizes were defined based on our risk assessment and consultations with audit sampling methodologists from the U.S. Department of Health and Human Services, Office of Inspector General (HHS OIG). ? For each sampled ID, we tested eligibility covering the dates of service for every payment made on the individual?s behalf within the audit period. ? After we concluded our testing, we used HHS OIG?s Office of Audit Services statistical software in consultation with HHS OIG to project our results to the full population of IDs for which benefits were paid during the audit period. See Schedule of Findings and Questioned Costs for chart/table. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? For 32 of the 125 Medicaid beneficiaries? case files that we tested (26 percent), we identified at least one error within each case file. In total, we identified 43 errors within the 32 case files. These errors resulted in a total of $25,120 in known questioned costs for July 1, 2019, through February 29, 2020, and $6,843 in likely questioned costs for March 1, 2020, through June 30, 2020, as shown in the following table. See Schedule of Findings and Questioned Costs for chart/table. A questioned cost, as defined in federal regulations [45 CFR 75.2 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (Uniform Guidance)], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Furthermore, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as an auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE but were receiving benefits during this period. CMS guidance indicated that the Department should keep these beneficiaries enrolled during the COVID-19 PHE. Therefore, we are reporting any identified questioned costs from March 1, 2020, through June 30, 2020, the period during the COVID-19 PHE, as likely questioned costs. PROJECTED LIKELY QUESTIONED COSTS FOR JULY 2019 THROUGH FEBRUARY 2020. Based on our sample, we estimate the projected Medicaid questioned costs resulting from payments made on behalf of ineligible beneficiaries in the population between July 1, 2019, and February 29, 2020, to be about $165.6 million and, with 90 percent confidence, to be at least $41.1 million but not more than $290.0 million. This projection is based on the $25,120 in known questioned costs, or misstatements, we identified in our sample during the audit period. The American Institute of Certified Public Accountants Audit Sampling, May 1, 2017, Audit Guide [AAG-SAM 4.95] advises, ?Even if the misstatement appears to be from an unusual source, that does not mean that other unusual items are not in the population and that the original sample was not representative.? In accordance with this guidance, we projected the known questioned costs to the population of payments for services that occurred from July 1, 2019, through February 29, 2020, regardless of the nature of the errors or the programs involved, since the Department is ultimately responsible for all payments made to providers on behalf of eligible beneficiaries. The projected questioned costs amount of $165.6 million is based on a statistical calculation that does not correlate to specific payments to providers or to over-expenditures of the State?s General Fund or federal funds. However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $41.1 million and $290.0 million and the amount would most likely be close to $165.6 million in erroneous payments. There is a 5 percent chance that the true amount of questioned costs is less than $41.1 million, and a 5 percent chance the true amount is over $290.0 million. PROJECTED LIKELY NUMBER OF INELIGIBLE BENEFICIARIES FOR JULY 2019 THROUGH FEBRUARY 2020. We also estimate that 169,026 beneficiaries, or with 90 percent confidence that at least 59,622 (4.30 percent) but not more than 278,429 (20.09 percent) beneficiaries, in our total population of 1,386,220 were likely ineligible at the time they received services from July 1, 2019, through February 29, 2020. The following table summarizes the results of our projections. See Schedule of FIndings and Questioned Costs for chart/table. The following table summarizes the total known and likely questioned costs based on our case file testing and statistical sampling results for Fiscal Year 2020. See Schedule of Findings and Questioned Costs for chart/table. DETAILS OF ERRORS IDENTIFIED. In some case files, we identified multiple instances of errors. Specifically, we found the following: ? PAYMENTS AFTER ELIGIBILITY HAS ENDED. In three cases, the Department paid for services after the beneficiary?s eligibility had ended. Specifically, in two cases, the beneficiaries continued to receive benefits after their death. In the remaining case, the Department determined the beneficiary was ineligible and ended the beneficiary?s benefits; however, payments continued to be made on behalf of the beneficiary after their eligibility had ended. These issues resulted in known questioned costs of $11,102. Federal regulation [42 CFR 433.304] states that an overpayment is the amount paid by a state agency to a provider in excess of the allowable amount for furnished services. Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death. Accordingly, payments for medical services claimed to have been provided after a Medicaid beneficiary?s death are overpayments. According to federal regulation [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and includes any payment to an ineligible beneficiary, any duplicate payment, any payment for services not received, any payment incorrectly denied, and any payment that does not account for credits or applicable discounts.? ? INELIGIBLE FOR PROGRAM. In one case, the beneficiary was ineligible for the benefits received under Medicaid?s Social Security Income (SSI) mandatory program, which is a medical assistance program provided to persons eligible for financial assistance under SSI from the Social Security Administration (SSA). As a result of an eligibility redetermination, the caseworker determined that the beneficiary had not been eligible for the program since January 2019; however, the beneficiary received benefits under this program for the entire fiscal year. This issue resulted in known questioned costs of $8,326 and likely questioned costs of $4,132 for Fiscal Year 2020. State regulations [10 CCR 2505-10, 8.100.6.C.1a. and b.] state that Medicaid benefits must be provided to persons receiving financial assistance under SSI or persons who are eligible for financial assistance under SSI, but are not receiving SSI. ? INCOME ISSUES. We identified the following income-related issues: ? INCOME EXCEEDING THRESHOLD. In two cases, CBMS incorrectly calculated the beneficiaries? income. CBMS used income information reported by the beneficiary when it should have used electronic income information received through an interface with another system. If CBMS had correctly used the electronic income information, beneficiaries? income would have been over the limit set by federal regulation and the beneficiaries, therefore, should have been denied benefits at their redetermination. Instead, the beneficiaries were approved at their redeterminations and Colorado interChange paid claims on their behalf. These errors resulted in known questioned costs of $4,613 and likely questioned costs of $2,281. ? INCOME NOT VERIFIED. In one case, the caseworker did not verify income for the beneficiary. Specifically, the beneficiary reported income on the application, but the caseworker was unable to verify the income and deleted the income record from CBMS. This error resulted in known questioned costs of $779 and likely questioned costs of $280. ? INCORRECT INCOME THRESHOLD. In one case, CBMS used the incorrect income threshold for the beneficiary?s eligibility determination. The beneficiary?s income was less than the correct income threshold and, therefore, this error did not result in questioned costs. ? INCORRECT INCOME. In three cases, the caseworker used the incorrect income amount to determine eligibility. Specifically, in two cases, the caseworker excluded income when it should have been included for determining eligibility. In the remaining case, the caseworker did not include expenses to calculate self-employment income and, as a result, the caseworker overstated income for determining eligibility. No questioned costs were identified in these instances because the beneficiaries? income was still within federal and state income guidelines. Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level and the State regulation [10 CCR 2505-10, 8.100.6.L.2.c] requires qualified beneficiary?s income to be at or below the federal property level. Federal regulation [42 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary?s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.5.B.1.c] requires the caseworker to verify earned income in determining whether an individual qualifies for medical assistance and requires the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. State regulation [10 CCR 2505-10, 8.100.3.K.8.a] requires business expenses to be deducted from countable self-employment income when calculating Medicaid applicants? self-employment income. ? MISSING REDETERMINATION. In one case, the Department did not complete the annual redetermination for the beneficiary as required by the federal regulation. Specifically, the beneficiary had Medicaid payments paid on their behalf during the entire Fiscal Year 2020; however, the beneficiary had not been redetermined since April 2018 due to the beneficiary showing as ineligible in CBMS. This issue resulted in known questioned costs of $300 and likely questioned costs of $150. Federal regulation [42 CFR 435.916(a)] requires the Department to renew or redetermine Medicaid eligibility once every 12 months but no more frequently than once every 12 months. ? BUY-IN PREMIUMS NOT ASSESSED. In one case, the Department did not assess buy-in monthly premiums for the beneficiary. Beneficiaries are required to pay buy-in premiums to receive benefits under the Buy-in Working Adults with Disabilities program. Therefore, the beneficiary was not eligible for the Program during November 2019 through February 2020. The beneficiary did not have any claims submitted by providers during this time and therefore, this issue did not result in questioned costs. State regulations [10 CCR 2505-10, 8.100.6.P.1.f] require individuals to pay monthly premiums on a sliding scale based on income for the Buy-in Working Adults with Disabilities program to be eligible to receive benefits. ? INAPPROPRIATE CHANGE TO ELIGIBILITY. In two cases, the Department did not determine eligibility in accordance with state regulation. Specifically, the beneficiaries provided information to the Department that changed their eligibility and the caseworkers applied the change retroactively; these beneficiaries were current Medicaid beneficiaries rather than new applicants and state regulations do not allow eligibility to be changed retroactively for current beneficiaries. These issues did not result in questioned costs. State regulation [10 CCR 2505-10, 8.100.3.E] requires that retroactive eligibility only be provided to new applicants for the prior 3 months preceding the date of application. State regulations do not allow for retroactive redeterminations to existing beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-048 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-035 MEDICAL ASSISTANCE PAYMENTS FOR DECEASED BENEFICIARIES As a safeguard against potential errors and fraud, state and local agencies need to be vigilant in preventing payments for medical services on behalf of ineligible individuals, such as those who are deceased. In general, the Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits under Medicaid and CBHP. Local counties and MA sites caseworkers enter the required data for eligibility determination into CBMS, which either approves or denies eligibility for MA benefits. In addition, CBMS has various system interfaces to confirm and update the eligibility information in CBMS, including the date of death. Eligibility data in CBMS feeds daily into Colorado interChange and the Department pays providers through two methods: (1) FFS payments to medical service providers for specific services, including pharmacy prescriptions, and (2) capitation payments. The monthly capitation payments are paid at the beginning of each month regardless of whether the providers serve beneficiaries during the month or not. FFS payments are only made for Medicaid beneficiaries while capitation payments are made for both Medicaid and CBHP beneficiaries. Colorado interChange is programmed to pay FFS and monthly capitation payments only on behalf of beneficiaries that are deemed eligible based on eligibility information received from CBMS and requirements specified in federal and state regulations. CBMS receives beneficiary death information through various sources, including updates from beneficiaries? family members, daily interfaces with the SSA, and a monthly interface with the Colorado Electronic Death Registration System maintained by the Colorado Department of Public Health and Environment (CDPHE). If death information received in CBMS has not been verified, the Department will confirm the death information by sending notification letters to the deceased beneficiary. Once the death information is verified, CBMS is programmed to terminate the beneficiary?s eligibility as of the date of death. On a daily basis, CBMS then sends updated beneficiary eligibility and date of death information to Colorado interChange, which is programmed to run a daily automated process to stop payments, check for payments, and recover all FFS and capitation payments made after the beneficiary?s verified date of death. In the majority of cases, there is a delay between when the beneficiary dies and when the Department receives death information, verifies the date of death, and terminates benefits; which means that claims may be paid on behalf of deceased beneficiaries for a period of time. Per federal regulations, the Department is required to recover any payments made on behalf of these beneficiaries after their date of death. Once the Department receives verified death information, overpayments are recovered through an automated process in Colorado interChange. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP payments related to beneficiaries who die while receiving benefits, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. During our audit, we received a listing of all Coloradans who died during Fiscal Year 2020, including dates of death, from CDPHE staff. We also obtained a listing from the Department of all Medicaid and CBHP payments made to providers during Fiscal Year 2020. We compared the two listings using Social Security Numbers (SSN) and identified 1,059 Medicaid and CBHP IDs that had Medicaid payments totaling $429,951 made on their behalf and $194 in CBHP payments made on their behalf. In addition, we reviewed the Department?s processes, policies, and procedures for identifying, stopping, and recovering payments for deceased beneficiaries. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Federal regulation [42 CFR 431 Subpart Q, Requirements for Estimating Improper Payments in Medicaid and CHIP] states that any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount. Also, Section 25.5-4-301(2), C.R.S., requirements for Medicaid and CBHP, states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.?? Additionally, Section 25.5-4-301(2)(a)(II), C.R.S., states, ?If the state department makes a determination that such overpayment has been made for some other reason than a false representation by the provider?, the state department may waive the recovery or adjustment of all or part of the overpayment and accrued interest specified in this subparagraph (II) if it would be inequitable, uncollectible or administratively impracticable?.? Because medically necessary services cannot be provided after a beneficiary?s death, no medical services are allowable after a beneficiary?s death and, accordingly, payments for medical services claimed to have been provided after a beneficiary?s death are overpayments and should be recovered. Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.C. 1396b] requirements for Medicaid and CBHP, states have up to 1 year from the date of discovery of any overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to CMS, regardless of whether or not recovery is made from the provider. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. Green Book, Paragraph 16.01, states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation?.? Additionally, federal regulation [45 CFR 75.516] defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department made Medicaid and CBHP payments to providers for medical services claimed to have been rendered to Medicaid and CBHP beneficiaries after the months in which beneficiaries died. Specifically, the Department made payments on behalf of 1,059 beneficiaries after their date of death provided by CDPHE, resulting in overpayments of $185,265, of which $96,952 were paid with federal grant funds, as follows: MEDICAID FFS PAYMENTS. We identified 277 Medicaid beneficiaries whose SSN matched a death record from CDPHE and who had Medicaid FFS payments totaling $207,667 paid on their behalf to providers after their date of death. We reviewed payments for 21 of the 277 Medicaid beneficiaries and confirmed with the Department that 17 of the 21 beneficiaries (81 percent) were deceased and had payments made on their behalf after their date of death during Fiscal Year 2020. We also found that the Department had not recovered these improper FFS payments to ineligible beneficiaries as of the end of Fiscal Year 2020 and, therefore, these errors resulted in known questioned costs of $17,041, of which $8,654 was paid with federal grant funds. For the remaining four Medicaid beneficiaries, the Department researched and provided evidence that the beneficiaries were not deceased. Therefore, these four beneficiaries did not result in questioned costs. The remaining 256 beneficiaries whose SSN matched a death record from CDPHE and need to be researched and verified resulted in likely questioned costs of $77,840, of which $41,422 was paid with federal grant funds. MEDICAID AND CBHP CAPITATION PAYMENTS. We identified 846 Medicaid and CBHP beneficiaries whose SSN matched a death record from CDPHE and who had capitation payments paid on their behalf to providers after their date of death that had not been recovered as of the end of Fiscal Year 2020, totaling $222,630 for Medicaid and $194 for CBHP. We informed the Department of the issues we identified and provided them with the list of 846 beneficiaries. Department staff performed additional follow-up and confirmed that Colorado interChange had received verified death records for 747 of the 846 beneficiaries and a total of $170,747 in provider payments had been made on the beneficiaries? behalf after their dates of death during Fiscal Year 2020. These payments resulted in known questioned costs of $168,224, of which $88,150 was paid with Medicaid federal grant funds and $148 was paid with CBHP federal grant funds. For 12 out of the 747 beneficiaries, the date of death reported in Colorado interChange differed from the date of death provided by CDPHE. Part of the payments to these beneficiaries resulted in likely questioned costs of $2,524, of which $1,401 was paid with Medicaid federal grant funds. For the remaining 99 of the 846 beneficiaries, the Department reported that Colorado interChange did not have death information for these beneficiaries and had not researched these further. As a result, Medicaid payments for these 99 beneficiaries are reported as likely questioned costs of $52,076, of which $28,508 was paid with federal grant funds. The following table summarizes the issues we identified. See Schedule of Findings and Questioned Costs for chart/table. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that medical assistance payments were not paid to deceased individuals during Fiscal Year 2020, as follows: ? LACK OF WRITTEN POLICIES AND PROCEDURES. The Department does not have written policies and procedures to monitor payments to deceased beneficiaries, to recover overpayments, and to ensure compliance with federal and state regulations related to medical assistance payments after a beneficiary?s date of death. ? SYSTEM ISSUES. We identified the following Colorado interChange system issues that caused the errors we identified: ? According to the Department, when Colorado interChange was implemented in 2017, it was programmed to only recover capitation payments in the current month and previous 2 months for Medicaid beneficiaries, and in the current month and previous 5 months for CBHP beneficiaries, after death information is received. As a result, for instances in which the Department received and verified beneficiaries? death information more than 3 months after the date of death for Medicaid and more than 6 months after the date of death for CBHP, the Department was not automatically recovering all improper capitation payments in accordance with federal and state regulations. According to the Department, in November 2020, the Department updated Colorado interChange to correct this system issue to recover all capitation payments after a beneficiary?s date of death. ? The Department lacks an effective internal control process for detecting when Colorado interChange is not recovering payments made on behalf of deceased beneficiaries. Specifically, we identified issues related to Medicaid FFS payments and followed up with the Department. Upon further review, the Department discovered a system defect that occurred from October 23, 2019, through April 23, 2020, which prevented Colorado interChange from carrying out the daily automated check and recovery process for FFS payments made on behalf of deceased beneficiaries. Due to this system defect, Colorado interChange did not recover any payments for deceased beneficiaries during this time. Although the system defect was fixed in April 2020, the Department was not aware of the issue and that payments were not being recovered for deceased beneficiaries until the Department researched the beneficiaries identified through the audit. According to the Department staff, as of May 2021, the Department was still researching the deceased beneficiaries impacted by the system defect and recovering payments. WHY DO THESE PROBLEMS MATTER? Without strong internal controls over Medicaid and CBHP eligibility, the Department increases the risk of improper payments due to fraud or error. Furthermore, making payments on behalf of ineligible individuals, including individuals who are deceased, can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-035 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) payments for deceased beneficiaries by: A Establishing and implementing written policies and procedures to monitor payments to deceased beneficiaries, recover any overpayments, and to ensure compliance with state and federal regulations. B Researching and resolving the Colorado interChange system (Colorado interChange) issues to ensure that all Medicaid and CBHP payments are stopped and recovered after a beneficiary?s date of death and developing a process to detect when Colorado interChange is not recovering payments on behalf of deceased beneficiaries. C Researching and recovering any overpayments made to providers on behalf of ineligible beneficiaries noted through the audit in accordance with state requirements. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. B AGREE. IMPLEMENTATION DATE: JULY 2022. The system issues described in this audit were resolved as of April 2020 for fee-for-service claims and November 2020 for capitation payments. Once a beneficiary's date-of-death is verified, payments that were made after to the date-of-death will be recovered through the Department's existing processes. As noted in the Department?s response to Recommendation (A), the Department will create written procedures documenting system and monitoring processes used to prevent claims from paying after a beneficiary?s date-of-death is verified. In addition, the procedures will document the processes used to recover payments made between a beneficiary?s verified date-of-death and the date the Colorado interChange system is updated with the date-of-death. AUDITOR?S ADDENDUM As noted in the finding, the Colorado interChange system defect did not recover payments from October 23, 2019, through April 23, 2020. However, the Department was not aware of the system defect until it researched the beneficiaries identified through the audit. According to Department staff, as of May 2021, the Department was still researching the beneficiaries that were impacted by the system defect and recovering payments. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will recover any overpayments made to providers on behalf of deceased beneficiaries once a beneficiary's date-of-death is verified based on our current processes and existing system functionality. The Department does not agree to the questioned costs identified by the auditors. When performing a review of the auditor?s data, several beneficiaries were found not to be deceased by the Department. The records provided by the auditors, like all records received from Colorado Department of Public Health and Environment (CDPHE) and the Social Security Administration (SSA), will go through the Department?s existing verification process. The Department performs the required research and outreach to beneficiaries to verify the date-of-death prior to updating the information in the Colorado interChange. In addition, the Department is not required to recover payments by the end of the state fiscal year, and reports any payments recovered to the Centers for Medicare and Medicaid Service (CMS) based on federal requirements. The Department?s source of beneficiary data, the verification processes, and recovery processes have already been established to satisfy this recommendation within federal guidelines. AUDITOR?S ADDENDUM As noted in the finding, all known questioned were for deceased beneficiaries that were verified by the Department. All likely questioned costs were for beneficiaries that had yet to be researched and verified by the Department. According to Department staff, as of May 2021, the Department was still researching and recovering payments made on behalf of deceased beneficiaries.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-049 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-036 CHILDREN?S BASIC HEALTH PLAN ELIGIBILITY AND IMPROPER PAYMENTS The Department, local counties, and MA sites share responsibility for ensuring that only eligible beneficiaries receive public assistance benefits through CBHP. Individuals and families apply for CBHP eligibility at their local county departments of human/social services or at MA sites. The local counties and MA sites are responsible for administering the application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. Once approved for eligibility, the beneficiary is required to pay a CBHP annual enrollment fee (enrollment fee) to the Department, based on the number of people in the family and the family?s income. Eligibility data in CBMS feeds into Colorado interChange, which issues payments to CBHP providers. For CBHP, the Department contracts with managed-care entities, which are groups or organizations of medical service providers that serve CBHP beneficiaries to provide capitation payments to CBHP providers. These capitation payments are paid regardless of whether the providers serve beneficiaries during the month or not. Colorado interChange is programmed to pay capitation payments only on behalf of beneficiaries that are deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state regulations. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the CBHP eligibility determination process, as well as the capitation payment process, to determine whether the Department complied with applicable federal and state requirements, and whether payments were only made on behalf of eligible beneficiaries during Fiscal Year 2020. CMS suspended rules and provided waivers related to CBHP eligibility requirements in response to the COVID-19 PHE; as a result, our testwork was split into two periods for testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. We performed the following testwork: REVIEW OF CBHP ELIGIBILITY CASE FILES ? We reviewed the Department?s CBHP eligibility internal controls during Fiscal Year 2020. In addition, we tested a random sample of 25 beneficiaries who were deemed eligible for CBHP benefits and had capitation payments made on their behalf to a CBHP provider between July 1, 2019, and February 29, 2020, to determine whether those beneficiaries? eligibility determinations were appropriate. If beneficiaries were determined to be ineligible through our testwork, we performed further testing to determine whether the beneficiaries had additional payments made on their behalf from March 2020 through June 2020, and whether the individuals were eligible for those payments. Our testing included a review of the related supporting documentation, including the case files; CBMS data fields related to eligibility determination/redetermination; and CBHP payment information in Colorado interChange. We performed testing to determine whether the Department ensured that local county and MA site caseworkers obtained, verified, and maintained in the case files the required documents supporting eligibility determinations and annual redeterminations; correctly entered eligibility data into CBMS; and properly assessed and collected enrollment fees. ? Additionally, we reviewed the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to CBHP eligibility. During that audit, we recommended that the Department strengthen its internal controls over CBHP eligibility determinations by providing adequate training to caseworkers, monitoring local counties and MA sites, and researching and resolving CBMS system issues identified in our Fiscal Year 2019 audit. We also recommended that the Department ensure it disallows benefits if a beneficiary becomes ineligible and if the enrollment fee is not paid prior to enrollment in the program. DATA ANALYSES OF CBHP BENEFICIARIES ? INELIGIBLE CBHP BENEFICIARIES. During our audit, we obtained eligibility data for all individuals who were deemed by the Department, a local county, or an MA site to be eligible for CBHP benefits in Colorado interChange at any point during the period of July 1, 2019, through February 29, 2020. We also obtained data for all CBHP capitation payments made through Colorado interChange by the Department from July 1, 2019, through February 29, 2020. This data included a total of $124.7 million in capitation payments made on behalf of 117,222 beneficiaries. We compared the eligibility data to the capitation payment data to identify any instances in which the Department made capitation payments to providers on behalf of beneficiaries who did not appear to be eligible for CBHP benefits. ? CBHP BENEFICIARIES 19 YEARS OR OLDER. Federal and state regulations require an individual to be less than 19 years of age to be eligible for CBHP benefits. To determine the Department?s compliance with these regulations, we further analyzed the list of all CBHP capitation payments made through Colorado interChange by the Department from July 1, 2019, through February 29, 2020. Specifically, we reviewed the beneficiaries? dates of birth in Colorado interChange to identify any capitation payments made on behalf of beneficiaries who appeared to be 19 years or older when the payments were made and, therefore, would not have been eligible for CBHP benefits. CBHP ELIGIBILITY MONITORING AND REVIEW We also inquired about the Department?s monitoring procedures over local counties and MA sites that were designed to ensure that eligibility determinations were made in accordance with federal and state regulations. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations for CBHP eligibility and made payments on behalf of ineligible beneficiaries during the fiscal year. The specific issues we identified through our analyses of CBHP eligibility data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY CASE FILE ISSUES In 16 of 25 case files tested (64 percent), we identified at least one error. These errors resulted in a total of 12 ineligible beneficiaries during all or part of Fiscal Year 2020, and total known questioned costs of $10,913, of which $8,449 was paid with federal grant funds; and total likely questioned costs of $3,805, of which $3,076 was paid with federal grant funds. A questioned cost, as defined in Uniform Guidance [45 CFR 75.2], is ?a cost that is questioned by the auditor ? (1) Which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds; [or] (2) Where the costs, at the time of the audit, are not supported by adequate documentation.?? Federal regulation [45 CFR 75.516] further defines known questioned costs as questioned costs that are specifically identified by the auditor and likely questioned costs as the auditor?s best estimate of total questioned costs. During the COVID-19 PHE, CMS issued waivers that limited the Department?s ability to deny eligibility for enrolled beneficiaries. The Department also sought guidance from CMS on the treatment of beneficiaries who were ineligible prior to the COVID-19 PHE and receiving benefits during this period. Although CMS guidance indicated that the Department should keep these beneficiaries enrolled until the end of the COVID-19 PHE, we are reporting the costs incurred for the 12 ineligible beneficiaries in our sample during the period of the COVID-19 PHE of March 1, 2020, through June 30, 2020, as likely questioned costs since the beneficiaries were inappropriately deemed eligible prior to the COVID-19 PHE and should not have been enrolled in CBHP. The following table outlines the types of issues we found. See Schedule of Findings and Questioned Costs for chart/table. The specific issues we identified and the breakdown of identified questioned costs are as follows: ? CBHP ANNUAL ENROLLMENT FEE NOT PAID. In 10 cases, the Department either did not assess the required enrollment fee or the fee was assessed but was never collected. Specifically: ? In seven cases, the Department did not assess an enrollment fee. ? In the remaining three cases, the Department assessed the enrollment fees but did not collect the required fees from the beneficiaries. Benefits were inappropriately paid on behalf of these 10 beneficiaries for all or part of Fiscal Year 2020. As a result, the Department was not in compliance with state regulations. These issues resulted in known questioned costs of $6,684 and likely questioned costs of $2,260. State regulations [10 CCR 2505-3, 310.1-310.2] require the Department to collect an annual enrollment fee from the beneficiary prior to enrollment in the CBHP. The actual fee is determined based on the number of eligible children within the family. Benefits should be denied if the annual enrollment fee is not paid prior to enrollment in the program. ? LACK OF INCOME VERIFICATION. In three cases, the caseworkers failed to verify income reported by the beneficiary as required by state regulations. In all three cases, the beneficiary reported income; however, the caseworker did not verify the reported income through an electronic data source, wage stubs, tax documents, or through the employer. These errors resulted in known questioned costs of $2,854 and likely questioned costs of $1,546. State regulations [10 CCR 2505-10, 8.100.4.B.1.c and 8.100.4.B.1.d] require the Department to verify income reported by a beneficiary through an electronic data source, wage stubs, tax documents, or verification with the employer. ? INCOME ISSUES. In one case, the beneficiary?s income information received by the local county or MA site was more than the income limit set within the state regulation; however, the beneficiary was deemed eligible in CBMS and Colorado interChange paid capitation payments on behalf of the beneficiary. As a result, the beneficiary incorrectly received CBHP benefits during the fiscal year. These errors resulted in known questioned costs of $1,375. In another case, the caseworker incorrectly calculated self-employment income for the beneficiary, resulting in lower income. No questioned costs were identified in this instance because the beneficiary?s actual income was still within guidelines. In order to be eligible for CBHP, state regulation [10 CCR 2505-3, 110.1.D] requires an individual to have a household income greater than 133 percent of, but not exceeding, 250 percent of the federal poverty level. ? MISSING CASE DOCUMENTATION. In five cases, the Department was unable to provide documentation necessary to support the CBHP eligibility determination, including documentation to support income, such as wage stubs; and documentation to support identity and citizenship, such as birth certificates; as required by federal regulations, as follows: ? In three cases, the Department could not provide supporting documentation used by the caseworker in CBMS to verify income at the time of eligibility determination. Specifically, in all three cases, the Department was unable to provide copies of the beneficiary?s wage stubs that were noted as the source document in CBMS. However, the Department subsequently provided a hand-written statement from the employer and electronic income information from another data source interfaced with CBMS that indicated income was under the federal income threshold, resulting in no questioned costs. ? In two different cases, to determine beneficiaries? eligibility, a birth certificate was identified as the source used to verify identity and/or citizenship within CBMS; however, the Department was unable to provide these birth certificates to support their identity and/or citizenship for eligibility determinations. In both cases, there was other corroborating documentation in the case file that indicated the beneficiaries were eligible; however, the Department did not appropriately maintain the support used to determine the beneficiaries? eligibility as required by federal regulation. These errors did not result in questioned costs. According to federal regulation [42 CFR 457.965], ?The State must include in each applicant?s record facts to support the State?s determination of the applicant?s eligibility for [Children?s Health Insurance Program].? State regulations [10 CCR 2505-3, 110.1.A, 110.1.B, and 110.1.C] require the Department to ensure a beneficiary is either less than 19 years of age or a pregnant woman and a citizen of the United States or an individual who is legally allowed to be in the country. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES We identified 53 ineligible beneficiaries through our data analyses of CBHP eligibility and capitation payment data from Colorado interChange for July 1, 2019, through February 29, 2020. The related overpayments resulted in known questioned costs of $158,413 for Fiscal Year 2020, of which $123,251 were paid with federal grant funds. The specific issues we found are discussed in more detail as follows. CBHP BENEFICIARIES NOT ON THE ELIGIBILITY LIST. We identified 39 beneficiaries who were not listed as eligible beneficiaries in the CBHP eligibility data that we received from the Department. However, these beneficiaries had CBHP capitation payments paid on their behalf through Colorado interChange during Fiscal Year 2020. We informed the Department of the issues we identified and provided the list of all 39 identified beneficiaries. Department staff performed their review and confirmed that 38 of the 39 beneficiaries were not eligible in CBMS at some point during Fiscal Year 2020, but showed as eligible in Colorado interChange during that timeframe. For the remaining beneficiary, CBMS and Colorado interChange noted the beneficiary as eligible when payments occurred in July 2019; however, the Department?s review later determined that the beneficiary was ineligible during July 2019 after the payments had already been made through Colorado interChange. As a result, all payments made during July 1, 2019, through February 29, 2020, for these 39 ineligible CBHP beneficiaries were improper payments as defined by federal regulations and, therefore, should be recovered in accordance with state and federal regulations. These payments resulted in known questioned costs of $76,924, of which $59,423 were paid with federal grant funds; and likely questioned costs of $14,345 for March 1, 2020, through June 30, 2020, of which $11,596 were paid with federal grant funds. According to federal regulation [42 CFR 431.958], any payment to an ineligible beneficiary is considered an improper payment, which is any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments). Eligibility errors include ineligible individuals that were authorized as eligible when they received services [42 CFR 431.960 (d)(2)(i)]. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable. These overpayments ?are recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider....? Pursuant to 1903(d)(2)(C) of the Social Security Act [42 U.S.S. 1396b], states have up to 1 year from the date of discovery of the overpayment to recover or attempt to recover the overpayment before the federal share must be refunded to the Centers for Medicare and Medicaid Services (CMS) regardless of whether recover is made from the provider. CBHP BENEFICIARIES 19 YEARS OR OLDER. We identified $853,422 in capitation payments made on behalf of 168 beneficiaries who appeared to be 19 years or older at the time of the CBHP capitation payments and, therefore, would not have been eligible for CBHP benefits. These beneficiaries were identified based on their dates of birth and the dates of capitation payments made on their behalf in Colorado interChange. We selected a random sample of 17 of the 168 beneficiaries to test whether or not the beneficiaries were ineligible to receive CBHP benefits based on their age. Using information contained in both Colorado interChange and CBMS, we confirmed that 14 of the 17 tested (82 percent) were 19 years or older when they had capitation payments paid on their behalf and, thus, were ineligible for these payments made through Colorado interChange. For example, we noted that based on the information in CBMS, 10 of the beneficiaries had not been eligible for CBHP benefits since 2017 even though Colorado interChange showed the beneficiaries as eligible. One of these beneficiaries had passed away in 2017, but had payments made on their behalf through September 2019. The remaining three of the 17 beneficiaries we tested were under the age of 19 at the time of the payments, but had an incorrect date of birth in Colorado interChange and/or CBMS. In total, for the 14 beneficiaries, we identified known questioned costs of $81,489 for Fiscal Year 2020, of which $63,828 were paid with federal grant funds. Additionally, for the remaining 151 beneficiaries with an age of 19 years or older based on their date of birth in Colorado interChange, we identified likely questioned costs of $775,470 for payments made on their behalf after they turned 19, of which $611,762 were paid with federal funds for Fiscal Year 2020. Federal regulation [42 CFR 457.320] defines children as up to, but not including, the age of 19. In addition, state regulation [10 CCR 2505-3, 101.1.A.1] states that an individual must be less than 19 years of age to be eligible for CBHP. The CBHP state plan amendment [CO-20-0031] approved by CMS, waives the requirement during the COVID-19 PHE, except for circumstances described in 42 CFR 435.926(d)(1) that states, the Department has to terminate a child?s eligibility during a continuous eligibility period once the child attains the maximum age of 19 years. Department policy further clarifies that beneficiaries enrolled in CBHP must meet age requirements [HCPF PM 20-004]. The following table summarizes the eligibility issues we identified through our data analyses. See Schedule of FIndings and Questioned Costs for chart/table. ELIGIBILITY MONITORING ISSUES CBHP ELIGIBILITY QUALITY REVIEW REPORT. In addition, we identified problems with the Department?s monitoring of local counties and MA sites over CBHP eligibility determinations. Based on our inquiry, we found that the Department did not obtain any quarterly quality review reports from local counties and MA sites during Fiscal Year 2020, or monitor the local counties and MA sites through an alternative process. As a result, the Department did not monitor local counties and MA sites in accordance with federal regulations and Department procedures. Department procedures require local counties and MA sites to compile and submit the results of their own quality reviews of CBHP eligibility case files to the Department on a quarterly basis. In addition, local counties and MA sites that do not submit their quality review reports on a timely basis are subject to corrective action. According to federal regulation [45 CFR 75.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with Green Book, Paragraph 16.01, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. WHY DID THESE PROBLEMS OCCUR? Overall, the Department lacked sufficient internal controls to ensure that it complied with state and federal CBHP eligibility requirements and to ensure that CBHP capitation payments were appropriately paid only on behalf of eligible beneficiaries during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: CBHP ANNUAL ENROLLMENT FEE. CBMS was not programmed to calculate and assess the correct enrollment fee or disallow benefits if the enrollment fee was not paid prior to enrollment in the program. In addition, CBMS was not programmed to calculate and assess an enrollment fee when a beneficiary moves between programs, such as from other federal programs to CBHP. According to the Department, CBMS is programmed to only calculate and assess an enrollment fee at a beneficiary?s annual redetermination and does not assess a fee when beneficiaries move to CBHP in between annual redeterminations, as required by state regulations. CASEWORKER ERROR. Caseworkers did not ensure that they maintained the required documentation to support CBHP eligibility, such as citizenship and identity status; or obtained and verified beneficiary income. MONITORING AND REVIEWS. The Department reported that it discontinued its process of obtaining quarterly CBHP monitoring reports from local counties and MA sites during Fiscal Year 2020 because the process is not effective and it is creating a new oversight monitoring process; however, the Department did not implement an interim monitoring process to ensure compliance with federal regulations. SYSTEM INTERFACE ISSUES AND LACK OF RECONCILIATION PROCESS. CBMS failed to interface with Colorado interChange appropriately during Fiscal Year 2020 to update beneficiaries? eligibility information. As a result, some beneficiaries who were deemed ineligible for CBHP in CBMS were listed as eligible in Colorado interChange and capitation payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling CBHP beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure the information is consistent in both systems and the beneficiary is appropriately deemed either eligible or ineligible in accordance with federal and state regulations. The Department indicated that it developed a manual reconciliation process in October 2019 to correct the eligibility status of these beneficiaries from eligible to ineligible in Colorado interChange to stop any further payments. This manual reconciliation process, however, did not identify and stop all the overpayments to providers on behalf of ineligible beneficiaries noted in this audit. Additionally, the Department did not recover these overpayments as required by federal and state regulations. WHY DO THESE PROBLEMS MATTER? Inaccurate processing of case file information to determine eligibility can result in the local counties and MA sites granting CBHP benefits to ineligible individuals. Without maintaining the required documentation to support eligibility, the local counties, MA sites, and ultimately the State cannot substantiate that eligibility determinations and redeterminations for CBHP are accurate, which can result in benefits being paid on behalf of ineligible individuals. Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Additionally, the federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. Because CBMS determines eligibility and Colorado interChange makes payments on behalf of other federal programs, system issues with CBMS and Colorado interChange could result in erroneous payments for other programs.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-050 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-037 RECOVERING AND REFUNDING OF FEDERAL SHARE OF MEDICAID AND CBHP PROVIDERS? OVERPAYMENTS The Department pays providers for services rendered to eligible beneficiaries of Medicaid and CBHP programs. In some cases, the Department may discover that it paid a provider for unallowed services, or that it paid more than the allowable amount, and will need to seek a recovery for the overpayment. In such cases, the Department is required to repay CMS for the portion of the overpayment that was funded by the federal government (federal share) within 1 year of the date the overpayment was identified. The Department?s Program Integrity (PI) Division identifies, receives, and tracks overpayments made to Medicaid and CBHP providers. An overpayment is identified once the PI Division sends a Demand Letter (date of discovery) to the provider or receives a self-disclosure identifying the amount of overpayment. The provider has a deadline of 30 days after receiving a Demand Letter or 60 days after submitting a self-disclosure to submit the overpayment or make arrangements for a payment plan with the PI Division. The PI Division uses a recovery tracking spreadsheet (Spreadsheet) to compile all necessary information for the recovery and refund of overpayments. The Spreadsheet is designed to contain information such as the amount of the overpayment, date of discovery, and deadlines for refunding to CMS. The federal share of overpayments that must be refunded to CMS depends upon the Federal Medical Assistance Percentage (FMAP) at which the Department was reimbursed. Once the PI Division recovers an overpayment from the provider, it determines the FMAP and includes it in a recovery form called the Colorado Authorization Document; PI Division staff then send it to the Controller?s Division for recording the recovery and refund information in the Colorado Operations Resource Engine (CORE), the State?s accounting system. The Department?s Controller?s Division uses summary data from CORE to report financial information for Medicaid and CBHP?including all overpayments and the associated federal share?to CMS in quarterly reports: Form CMS-64 for Medicaid and Form CMS-21 for CBHP. The Department has up to 1 year from the date of discovery of an overpayment to report the refund to CMS in one of these forms, as appropriate. The PI Division works with the Controller?s Division to ensure the timely reporting and refunding of the federal share of overpayments to CMS. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over processes for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments, as well as to determine whether the Department complied with applicable federal requirements and Department policies and procedures during Fiscal Year 2020. During our audit, we reviewed the Department?s Spreadsheet detailing all overpayment cases that appeared to be due for a refund of federal share to CMS during Fiscal Year 2020. The Spreadsheet included 50 Medicaid and seven CBHP overpayment cases, and from these, we selected and tested a sample of 13 Medicaid and five CBHP overpayments. We requested and reviewed supporting documentation for these overpayments to determine whether (1) the information recorded in the Spreadsheet was accurate, (2) the overpayment was recovered in a timely manner or recovery was attempted within 1 year from the date of discovery, and (3) the federal share was appropriately refunded through quarterly reports to CMS in accordance with federal regulations. Additionally, we requested the Department?s policies and procedures to ensure compliance with federal regulations governing the recovery, reporting, and refunding of Medicaid and CBHP overpayments to CMS. The process followed for recovery, reporting, and refunding the federal share of overpayments to providers is the same for both Medicaid and CBHP, and our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal regulations for recovering, reporting, and refunding the federal share of Medicaid and CBHP overpayments to providers during Fiscal Year 2020. We noted issues with the untimely recovery and refund of overpayments to CMS, inaccurate federal reporting to CMS, and untimely follow-up with the provider on outstanding overpayments and expired checks. Specifically, we identified the following: ? UNTIMELY RECOVERY AND REFUND. For six of the 13 Medicaid (46 percent) and two of five CBHP (40 percent) overpayments tested, the Department failed to recover, or seek to recover, the overpayments from the provider and failed to refund to CMS, the federal share, within 1 year of the date of discovery, as required by federal regulations. For example, an overpayment was identified on September 13, 2018, but the Department did not recover, or seek to recover, the overpayment until September 15, 2020, and did not refund the federal share to CMS until federal quarter ending September 30, 2020, which is 367 days past the 1 year recovery and refund period in accordance with the federal requirement. In addition, for one of the 13 Medicaid (8 percent) and one of five CBHP (20 percent) overpayments tested, the Department failed to refund the federal share of overpayment to CMS within 1 year of the date of discovery. As a result of untimely follow-up with the providers, the Department did not recover the overpayments amounting to $23,646 in known questioned costs; and did not refund $12,176 within the 1 year period of discovery. These errors resulted in underreporting of overpayments to CMS for Fiscal Year 2020. Additionally, the Department could be liable to CMS for the interest payments on these untimely refunds of overpayments. As of the end of our audit, the Department had not provided an estimated amount of interest that will be due to CMS so we were unable to report an estimated questioned costs amount for the interest. According to federal regulation [42 CFR 433.312(a)(1) and (2)], the Department has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. In addition, the Department must refund the Federal share of overpayments at the end of the 1-year period following the date discovery of overpayment, whether or not the State has recovered the overpayment from the provider. According to federal regulation [42 CFR 433.320(a)(4)], if the Department does not refund the Federal share of such overpayment as indicated in the previous paragraph (a)(2), the State will be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate, and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment. ? INACCURATE FEDERAL REPORTING. For all 13 Medicaid (100 percent) and all five CBHP (100 percent) overpayments we tested, the Controller?s Division reported the federal share of the overpayments made to providers on the wrong line of the CMS quarterly reports rather than on the line specified and required by Uniform Guidance. Uniform Guidance states that the Department must report the refund of the overpayment on CMS-64 for Medicaid on line 9C1- Fraud, Waste and Abuse and/or on CMS-21 for CBHP on line 4-Adjustments Decreasing Claims-Collections. ? EXPIRED CHECK AND UNTIMELY FOLLOW-UP. For one of the 13 Medicaid overpayments tested (8 percent), the PI Division failed to timely process the overpayment recovery check received from the provider. Consequently, the check, which was received on September 5, 2019, expired and the Department did not take any actions to follow up with the provider at any time through the end of the fiscal year to obtain payment. After we brought this issue to the Department?s attention, they followed up on the outstanding payment in January 2021, which is more than 16 months since the check expired. According to the Department?s Policies and Procedures, Recovery Officer Check Processing, Section (V)(A), the PI Division within Audits and Compliance has to process the received check in a timely manner and provide a copy to the accounting or Controller Division. ? INCOMPLETE TRACKING SPREADSHEET. We found that the overpayment recovery and refund tracking Spreadsheet used by the PI Division was incomplete and missing important information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS. Green Book, Section 4, Paragraph OV4.08, states that documentation is required for the effective design, implementation, and operating effectiveness of an entity?s internal control system. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls, including policies and procedures, in place over the recovery, reporting, and refunding of Medicaid and CBHP overpayments during Fiscal Year 2020 to ensure compliance with federal regulations. Specifically, we noted the following causes for the identified errors: ? LACK OF TRAINING. The staff within the PI Division and the Controller?s Division lacked adequate training to document, communicate, and report details of overpayments to ensure compliance with federal regulations. Specifically, the Department?s PI Division did not timely create and provide the Colorado Authorization Document form to the Controller?s Division and the Controller?s Division did not report the refund of the overpayments within 1 year of the date of discovery to ensure compliance with federal regulations. Additionally, staff lacked training to properly track and report overpayments for Medicaid and CBHP; timely process recovery and refund of overpayments, processing checks timely, and correctly report overpayments on CMS quarterly reports. ? LACK OF POLICIES AND PROCEDURES. The Department lacked written policies and procedures to ensure that all necessary information such as the date of the discovery, the federal program reimbursement rate, and deadlines for refunding to CMS required to track, recover, report, and refund overpayments were documented within the Spreadsheet. ? LACK OF ACCOUNT CODES. According to the Controller Division staff, the correct accounting codes are not set up in CORE; therefore, the recovered overpayments are currently recorded under incorrect accounting codes in CORE. This led to the reporting of overpayments on the incorrect federal reporting lines in CMS quarterly reports. ? LACK OF SUPERVISORY REVIEW. The PI Division and Controller?s Division lacked supervisory review over the Spreadsheet and CORE account codes used on the recoveries to ensure completeness and accuracy of information to support timely recovery, refund, and reporting of overpayments. WHY DO THESE PROBLEMS MATTER? Strong internal controls over refunding and recovery of Medicaid and CBHP overpayments, including written policies and procedures; adequate staff training on those policies and procedures, and any related processes; a proper tracking mechanism; and a supervisory review process are necessary to ensure that Department is in compliance with federal and state regulations. Without a proper tracking mechanism for overpayments, the Department risks failing to timely recover state funds paid improperly, refund overpayments, and accurately report overpayment information to the federal government, potentially resulting in additional liability of interest on overpayments to the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-037 The Department of Health Care Policy and Financing (Department) should improve its internal controls over Medicaid and Children?s Basic Health Plan (CBHP) overpayments and comply with the related payment and reporting requirements by: A Providing adequate training to staff to ensure timely documentation and communication of recovery information between the Program Integrity Division and the Controller Division related to reporting and refunding of overpayments within 1 year of the date of discovery in accordance with federal regulation. Additionally, the training should focus on proper tracking and reporting of overpayments for Medicaid and CBHP, timely processing of recovery of overpayments, timely check processing, and correct refunding of the federal share of these overpayments on Centers for Medicare and Medicaid Services (CMS) quarterly reports. B Developing and implementing written policies and procedures to ensure that all necessary information required to correctly track Medicaid and CBHP overpayments is included on the tracking spreadsheet and recovered overpayments are refunded and reported to CMS within the 1 year of the discovery date, in accordance with federal regulations. C Creating overpayment account codes to report recovered overpayments accurately in the Colorado Operations Resource Engine (CORE) and subsequently under the correct federal reporting lines in CMS quarterly reports. D Implementing a supervisory review over the tracking spreadsheet and CORE overpayment recovery account codes to ensure completeness and accuracy of information to support timely recovery and reporting of overpayments by the divisions. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and provide training to staff that covers the federal regulations surrounding reporting overpayments and returning the federal share, required information for tracking overpayments, processes for processing recovered funds in a timely manner, and processes for properly refunding the federal share on the CMS-64 and/or CMS-21. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will draft and revise existing policies and procedures to ensure proper tracking of recovered overpayments, timely processing of those payments, and correct reporting on the CMS-64 and/or CMS-21. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will implement procedures and coding sufficient to allow proper reporting of overpayments returned greater than one year from the date of discovery for the CMS quarterly reports. D AGREE. IMPLEMENTATION DATE: JULY 2022. The Program Integrity Division and Controller Division will develop and revise supervisory review processes for ensuring that the tracking spreadsheet is complete and accurate and that the CORE account codes are correctly reported.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-051 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-038 PRESUMPTIVE ELIGIBILITY Colorado?s presumptive eligibility program is designed to give immediate, temporary medical coverage to children under 19 and pregnant women while they wait for a regular Medicaid or CBHP eligibility determination. Though there are fewer eligibility requirements for presumptive eligibility in comparison with regular Medicaid or CBHP coverage, beneficiaries must submit a Medical Assistance application (Application) and meet certain criteria to be eligible. To manage the application process and help ensure that only people meeting the basic eligibility criteria are enrolled in presumptive eligibility programs for children and pregnant women, the Department partners with clinics, health care centers, and community resource centers that are certified as presumptive eligibility sites (PE sites). Such PE sites must be re-certified by the Department every 2 years to maintain their active status as qualified PE sites in order to process presumptive eligibility. As part of the re-certification process, the Department conducts a sample of eligibility case reviews. During Fiscal Year 2020, there were 57 PE sites that together determined presumptive eligibility for 1,795 Medicaid cases and 875 CBHP cases. The process of enrolling an applicant into a presumptive eligibility program begins when a caseworker at a PE site collects minimum information needed to determine presumptive eligibility, including the applicant?s name, age, residency, citizenship, and income. The caseworker enters this information into CBMS, which determines whether the applicant is eligible to receive Medicaid or CBHP temporary benefits. If the applicant is deemed presumptively eligible, then CBMS feeds relevant data to Colorado interChange, which issues payments to CBHP and Medicaid providers on behalf of these beneficiaries. If the applicant?s reported information is not in compliance with state and federal requirements, CBMS is programmed to deny the eligibility and mark the applicant?s eligibility as fail within CBMS. As a result, the applicant would not be eligible to receive any payments on their behalf through Colorado interChange. Once an applicant?s presumptive eligibility has been determined, the PE site submits the Application along with a transmittal form detailing the beneficiary?s reported information to the appropriate local county or designated MA site, which then completes the application process to determine regular (i.e., not presumptive) eligibility for Medicaid or CBHP benefits. Once the applicant is enrolled in the regular Medicaid or CBHP program, the individual?s presumptive eligibility benefits should end. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of our audit work was to review the Department?s internal controls over the processing of presumptive eligibility for Medicaid and CBHP programs, as well as to determine whether the Department complied with the applicable federal and state requirements for Fiscal Year 2020. During our internal controls testing, we reviewed all 57 PE sites to determine whether they were due for re-certification and were appropriately re-certified to process presumptive eligibility by the Department during the fiscal year. Out of 57 PE sites, 39 were due for re-certification during Fiscal Year 2020. We also reviewed the Department?s case reviews of the presumptive eligibility determinations processed by 13 staff at five out of the 39 PE sites due for re-certification during Fiscal Year 2020 to determine whether reviews were performed and if the appropriate training was provided for those PE sites? staff that failed the Department?s review. The PE site?s staff fails the Department?s case reviews if the Department identifies a high amount of presumptive eligibility determination errors in accordance with federal and state requirements. If the PE site?s staff fails the review, the Department requires the staff to undergo customized Department training over the areas they failed within 6 months of the review. We also made inquiries with Department staff regarding their policies and procedures over monitoring of these PE sites and reviewed the Department?s process of case file reviews. In addition, we randomly selected a sample of 20 Medicaid and 20 CBHP cases for individuals who were deemed presumptively eligible by the Department during Fiscal Year 2020 to determine whether the Department complied with federal Medicaid and CBHP presumptive eligibility requirements. Our testing included reviewing the related supporting case file documentation, as well as the CBMS data fields related to presumptive eligibility determinations and payment information in Colorado interChange. The process followed for presumptive eligibility determination is the same for both Medicaid and CBHP, and therefore our testing was used to determine compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state regulations regarding Medicaid and CBHP presumptive eligibility requirements during Fiscal Year 2020. We noted issues regarding the Department?s timeliness of PE sites? re-certifications, failure to timely end beneficiaries? presumptive eligibility, a lack of review of PE sites, and missing documentation. Additionally, we found CBMS system issues related to the determination of applicant?s presumptive eligibility. Specifically, we identified the following: ? UNTIMELY END OF PRESUMPTIVE ELIGIBILITY. In eight out of 20 Medicaid (40 percent) and seven out of 20 CBHP (35 percent) cases, we found that the Department did not properly end presumptive eligibility within CBMS as required by the federal regulation. For example, in one CBHP case, the beneficiary?s presumptive eligibility did not end until 57 days after the beneficiary was determined to be eligible for regular CBHP benefits. Federal regulation [42 CFR 435.1101)] states that presumptive eligibility should end the day on which a decision is made on the application for Medical Assistance or the last day of the month following the month in which the determination of presumptive eligibility was made. ? LAPSED CERTIFICATIONS OF PE SITES. We found that five of the 57 PE sites (9 percent) were not re-certified within 2 years, as required, during Fiscal Year 2020, and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. Based on inquiry with the Department, these five PE sites processed a total of 314 presumptive eligibility determinations for Medicaid and CBHP after their re-certification due date during Fiscal Year 2020. The Department was unable to provide the total payments made on behalf of these beneficiaries during the presumptive eligibility period as of June 30, 2020, since these payments are not separately identified from regular Medicaid or CBHP payments in the system. As a result, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020. State regulation [10 CCR 2505-10, 8.100.4.F (3)] requires the Department to re-certify the PE sites every 2 years to remain an approved site. ? LACK OF REVIEW OF PE SITES. We found several issues with the Department?s review of PE sites. Specifically we found the following: ? For 13 out of the 39 PE sites due for re-certification and a review (33 percent), the Department did not perform any case reviews to ensure that presumptive eligibility determinations were being made appropriately and in accordance with state and federal regulations by the PE site staff during Fiscal Year 2020. ? 11 of 13 staff at three PE sites (85 percent) failed the Department?s review of presumptive eligibility determinations during the fiscal year. However, the Department was unable to provide adequate evidence that it provided training to these staff within 6 months of their failed reviews, as required by Department processes. ? Currently, for all 57 PE sites, the Department conducts reviews every 2 years, but only requires them to retain eligibility documentation for 1 year. As a result, the Department is able to monitor PE site?s eligibility determinations for only half of the period since the last review, leaving the other half unmonitored. Federal regulation (42 CFR 435.1102(b)(3)) requires the Department to ?establish oversight mechanisms to ensure that presumptive eligibility determinations are being made consistent with the statute and regulations?. According to the Department processes, staff are to review a sample of presumptive eligibility cases at PE site every 2 years when reviewing sites for re-certification. If a PE site?s staff fails a review, the Department requires the staff to undergo customized Department training within 6 months over the areas they failed. Green Book, Section 2, Paragraph OV2.02, states that the Green Book applies to all of an entity?s objectives: operations, reporting, and compliance. Additionally, Green Book, Paragraph 16.01, indicates that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports and observing operations. ? MISSING DOCUMENTATION. In five of the 20 CBHP cases (25 percent) and five of the 20 Medicaid cases (25 percent) we tested, the Department was unable to provide evidence that the PE sites notified the counties or MA sites within five business days that the applicants were presumptively eligible. Federal regulation [42 CFR 435.1102(b)(2)(iii)] states that the presumptive eligibility sites are required to notify the local county or MA site within 5 business days that the client is presumptively eligible. ? SYSTEM DISPLAY ISSUE. In two of 20 CBHP cases (10 percent) and two of 20 Medicaid cases (10 percent), CBMS did not display the presumptive eligibility termination dates consistently between various screens. For example, in a Medicaid case, one screen showed a presumptive eligibility termination date of January 22, 2020, and the other screen showed a presumptive eligibility termination date of February 29, 2020. This system display issue did not affect the beneficiaries? presumptive eligibility and therefore there were no questioned costs. CBMS is designed to display case and applicant information consistently between various screens within the system. WHY DID THESE PROBLEMS OCCUR? The Department lacked sufficient internal controls to ensure that it complied with state and federal presumptive eligibility requirements during Fiscal Year 2020. Specifically, we noted the following causes for the errors we identified: ? LACK OF POLICIES AND PROCEDURES. The Department did not have written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, and the performance of timely re-certification of PE sites. ? LACK OF MONITORING. The Department lacked an effective tracking mechanism to monitor and identify PE sites that were due for re-certification every 2 years and to ensure presumptive eligibility determinations were in compliance with state and federal regulations. ? CBMS SYSTEM ISSUES. CBMS was not programmed to appropriately terminate presumptive eligibility when the beneficiary is enrolled in the regular Medicaid or CBHP program. In addition, CBMS has a system display issue that results in inconsistent applicant information being shown on various screens. WHY DO THESE PROBLEMS MATTER? As the State?s Medical Assistance agency, it is essential for the Department to ensure that PE sites? eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring benefits are paid only on behalf of eligible beneficiaries. Since CBMS determines eligibility for Medicaid and CBHP, the CBMS system issues we identified could result in erroneous eligibility determinations. The federal government can disallow federal funds for program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. By not ensuring that appropriate internal controls, including system controls, written policies and procedures, adequate reviews, and monitoring, are in place over the Medicaid and CBHP presumptive eligibility process, the Department cannot ensure that all Medicaid and CBHP beneficiaries are eligible to participate in the programs. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-038 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over presumptive eligibility by: A Developing and implementing written policies and procedures detailing the requirements for completion of site reviews, maintenance of supporting documentation, timely training for failed presumptive eligibility (PE) site staff, and performance of timely re-certification of PE sites. B Developing an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every 2 years and ensuring the re-certifications are performed. C Resolving Colorado Benefits Management Systems (CBMS) programming and system issues to appropriately terminate applicants? presumptive eligibility when the beneficiaries are enrolled in regular Medicaid or Children?s Basic Health Plan program and ensuring CBMS displays consistent applicant information between various screens. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop and implement formal written policies and procedures. Prior to this audit, the Department began creating formal written policies and procedures for site case reviews, maintenance of supporting documentation, timely training for failed workers, and performance of timely re-certification of presumptive eligibility sites (PE site). This finding had no known questionable cost associated with it. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department agrees with the audit recommendation to develop an effective tracking mechanism to identify and monitor PE sites that are due for re-certification every two years and ensuring that the re-certifications are performed. Prior to this audit, the Department began developing a tracking mechanism for PE site re-certifications. This finding had no known questionable cost associated with it. C AGREE. IMPLEMENTATION DATE: IMPLEMENTED. Implemented as of April 2021. The Department has thoroughly researched the eligibility issues identified in this audit and made the changes to CBMS to ensure that applicants? presumptive eligibility has been appropriately terminated when the beneficiaries are enrolled in regular Medicaid or CBHP program, and that CBMS displays consistent applicant information between various screens. These issues were fixed through two system changes implemented in March 2020 and April 2021. This finding had no known questionable cost associated with it. AUDITOR?S ADDENDUM for Parts A, B, and C As noted in the finding, we found five PE Sites that were not re-certified within the required 2 years and therefore, were not qualified to make presumptive eligibility determinations after their re-certification due date had passed. State regulation [10 CCR 2505-10, 8.100.4.F] requires the Department to re-certify the presumptive eligibility sites every 2 years to remain an approved site. The five PE sites processed a total of 314 presumptive eligibility determinations after their re-certification due date and before the Department re-certified the sites. The Department was unable to provide the total payments made on behalf of these 314 beneficiaries? prior to being enrolled in the regular Medicaid or CBHP program as of June 30, 2020. Therefore, we were unable to determine the amount of questioned costs the Department paid for these individuals during Fiscal Year 2020.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-043 Managed Care Entities? Periodic Audit Reporting On November 9, 2020, CMS adopted a final rule (Final Rule) revising the regulations governing managed care programs. The Final Rule was meant to streamline the existing Medicaid and CBHP managed care regulatory framework. Further, it adopted procedures and standards to ensure accountability and strengthen program integrity safeguards. The Department is responsible for complying with these federal program integrity regulations, some of which include requirements to monitor MCE compliance submission requirements, conduct periodic audits of submitted MCE data, and then post the periodic audits publicly on the Department?s website. These periodic audits are done to determine the accuracy and completeness of the (1) encounter and, (2) financial data submitted by each MCE, which are described as follows: ? Encounter Data. The Department?s contracts with the MCEs require each MCE to submit Medical Encounter Claims (Encounter Data) to the Department. Encounter Data includes services provided by any of the MCE?s providers, including, but not limited to, services delivered by medical groups, practices, clinics, physicians, or any other providers. MCEs must submit Encounter Data on a monthly basis on the last business day of the month. The Department then contracts with an independent external quality review organization to review the information and supporting documentation, and then the external organization issues a report on the data submitted by each MCE. ? Financial Data. The Department?s contracts with the MCEs require each MCE to complete a Department-provided financial reporting template that contains a breakdown of the MCE?s administrative and medical costs for a 12-month period (July through June). These templates are required to be completed and submitted to the Department by January 15 each year. The Department performs an initial review of the information, and then sends the completed templates to an independent CPA firm for final review and issuance of a report on the data submitted by each MCE. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over and compliance with federal program integrity requirements for MCEs during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over the MCE periodic audits. For each MCE, we reviewed the Department?s MCE contract, the financial reporting template submitted during Fiscal Year 2021, and the report issued by the Department?s contracted independent organization. Lastly, we reviewed the Department?s website to determine whether the Department posted the periodic audit results on their website. How were the results of the audit work measured? Federal regulations [42 CFR 438.602] detail the Department?s responsibilities associated with MCE program integrity. These include the following: ? Federal regulation [42 CFR 602(e)] requires the Department to periodically conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by each MCE. ? Federal regulation [42 CFR 438.602(g)(4)] requires that the results of the periodic audits for each MCE be publicly posted on the Department?s website. The Department?s MCE contracts require all MCEs to submit Encounter Data electronically to the Department on a monthly basis. The Department?s MCE contracts also require all MCEs to submit annual financial information, including annual financial statements and the Department provided financial reporting template. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards that provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Green Book. Under Paragraph 16.01, the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? Overall, we found that the Department did not obtain complete financial data from the MCEs during Fiscal Year 2021 and did not post the audited results of the financial data to the Department?s website. Specifically, we found the following: ? Financial Data Reporting Template. For 2 out of the 10 (20 percent) financial reporting templates we reviewed, the MCE did not fill out the reporting template completely. As a result, the reporting templates were missing supporting information and explanations that assist the Department in their initial review of the MCE financial data, such as the MCE?s methodology for calculating administrative and medical costs submitted with the reporting template. ? Posting Incomplete Periodic Audits to the Department?s Website. For 10 of the 10 (100 percent) MCEs, we found that the Department failed to post the results of the financial data audits to its website. Pursuant to federal regulations, the audits must include information on encounter and financial data for each MCE and be posted to the Department?s website. We were able to verify that the Department did, however, post the results of the encounter audits to its website for all 10 MCEs. Why did these problems occur? The Department lacked adequate controls over ensuring compliance with federal program integrity requirements for MCEs. Specifically, the Department did not have written policies and procedures for performing the initial review of the financial data reporting templates before they are sent to the CPA firm for final review. In addition, the Department did not have written policies and procedures for ensuring all periodic audit information is posted to its website, including the results of the financial data audits. Why do these problems matter? As a recipient of federal funds, the Department is ultimately responsible for ensuring that it is in compliance with federal regulations. By not confirming that the MCE financial data templates are complete, there is a risk that the reports issued by the contracted CPA firm could be inaccurate or incomplete, which could lead to the Department not properly monitoring the managed care program. In addition, by posting incomplete periodic audit information to its website, the Department risks failing to comply with federal program integrity requirements for MCEs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-043 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls by developing and implementing written policies and procedures for periodic audits that detail the process for (1) performing the initial review of the financial data reporting templates submitted by Managed Care Entities, and (2) posting complete periodic audit results on the Department?s website in accordance with federal regulations. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2022 The Department did not have strong enough controls for the initial checks on the financial data reporting templates. This process has been updated and will be rectified in coming cycles. The Department has modified its templates in order to address the concerns provided by the auditors including signatures and supplemental reporting. Written policies and procedures for the validation and audit of the templates are being developed currently and will be in place and effective in December 2022. The Department will be correcting this error by posting the audit results along with other quality and audit reports on the following site: https://hcpf.colorado.gov/quality-and-health-improvement-reports.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-054 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-041 MEDICAID ELIGIBILITY?MISSING SOCIAL SECURITY NUMBERS A beneficiary?s application includes information such as a Social Security Number (SSN), birth certificate, and supporting documentation for income. Local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying applicants? eligibility. For example, Medicaid caseworkers enter and document each applicant?s SSN into CBMS. Caseworkers determine participants? eligibility to receive Medicaid benefits through CBMS. The CBMS eligibility data, including SSNs, feeds into Colorado interChange, which pays providers for the services they render to Medicaid beneficiaries. If there is a change to an SSN, including removing an SSN in CBMS, this change should feed directly into Colorado interChange. Additionally, children in foster care are automatically eligible for Medicaid; the TRAILS system that supports the foster care program at the Department of Human Services also interfaces with Colorado interChange on a daily basis to update foster care beneficiaries? eligibility information and pay providers for the services rendered. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls that were in place over the Medicaid eligibility process during Fiscal Year 2019, and to determine whether the Department complied with federal and state Medicaid requirements during this timeframe. During our audit, we requested a list of all Medicaid claims for medical services that were submitted and paid through Colorado interChange from July 1, 2018, through March 31, 2019. This list included claims made on behalf of approximately 1.1 million beneficiaries. We analyzed the data to identify any Medicaid claims payments made during July 1, 2018, through March 31, 2019, on behalf of beneficiaries who did not have an SSN in Colorado interChange on the date of the claims payment, and found a total of 524,092 claims paid on behalf of 46,772 beneficiaries. From this listing, we excluded any of the claims payments made on behalf of a beneficiary who was exempted from providing an SSN under federal and state regulations. For example, we removed claims payments for beneficiaries who were under the age of 1; beneficiaries who were in foster care and, therefore, were automatically deemed eligible for Medicaid; beneficiaries who had applied to the Social Security Administration for an SSN at the time of the payment; beneficiaries who received medical care as an emergency service; and beneficiaries who had chosen to opt out of providing an SSN due to allowed religious reasons. After we removed these exempted beneficiaries from the population, the list included 2,870 beneficiaries that appeared to be missing an SSN in Colorado interChange and who had Medicaid claims payments made on their behalf from July 1, 2018, through March 31, 2019. We then reviewed these remaining beneficiaries, and the related separate payments made on their behalf during this time period, to determine whether these beneficiaries had an SSN in Colorado interChange at the time of the claims payments and whether the individuals were eligible for Medicaid benefits in accordance with federal regulations and Department procedures. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? SSN REQUIREMENTS. Federal regulations [42 CFR 435.910 and 42 CFR 435.117(b)] state that the Department must require an SSN for each individual requesting Medicaid benefits, with the exception of newborns under the age of 1, or ?Eligible Needy Newborns,? and individuals who refuse ?to obtain an SSN because of well-established religious objections.? Federal regulation [42 CFR 435.145(b)(2)] states that the Department must provide Medicaid benefits to individuals who are in the foster care program. Section 472 of the Social Security Act does not require a child to provide an SSN in order to be eligible for the foster care program. State regulations [10 CCR 2505-10 8.100.3.I.1, 8.100.4.B.1.a, and 8.100.4.G.7.a] also require that every individual who applies for and receives Medicaid benefits must provide an SSN, or an application for an SSN, with their application for Medicaid. The regulation specifically states: An applicant?s or client?s refusal to furnish or apply for a Social Security Number affects the family?s eligibility for assistance as follows: i) that person cannot be determined eligible for the Medical Assistance Program; and/or ii) if the person with no SSN or proof of application for SSN is the only dependent child on whose behalf assistance is requested or received, assistance shall be denied or terminated. The regulation also states that newborns under the age of 1 and ?members of religious groups whose faith will not permit them to obtain Social Security Numbers shall be exempt from providing a Social Security Number.? Eligibility data, including SSNs, is required to be collected and entered into CBMS at the time of application or upon another event, such as the beneficiary turning 1 year old. Because this information is maintained within CBMS, and CBMS feeds eligibility information into Colorado interChange, eligible beneficiaries should have an SSN in Colorado interChange. MONITORING. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in the Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Green Book Paragraph 16.01, Perform Monitoring Activities, states the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. TRAINING. Department training procedures indicate that when a local county or MA site caseworker needs to update an SSN in CBMS, he or she must call the Office of Information Technology (OIT) Service Desk within the Office of the Governor, for approval of the change. According to Department staff, once the OIT Service Desk reviews and approves the change, the information will be updated within CBMS; if the OIT Service Desk does not approve the change to the SSN, then the updated information will be rejected within CBMS. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified 2,870 beneficiaries who were required to have an SSN but did not have an SSN documented in Colorado interChange and had Medicaid claims paid on their behalf sometime between July 1, 2018, and March 31, 2019. In total, Colorado interChange paid approximately $4,540,920 in Medicaid claims for these beneficiaries during the time period noted. In August 2019, we informed the Department of the issues we identified and Department staff performed additional follow-up based on our findings, which included analyzing information contained in CBMS compared to our results from Colorado interchange; the Department confirmed in January 2020, the Department confirmed that 1,590 of these beneficiaries had never had an SSN recorded in CBMS since they were first found eligible for Medicaid benefits, and therefore, would never have had an SSN in Colorado interChange. Because these individuals were required by federal and state regulations to provide an SSN at the time of application or upon another event, as applicable, the lack of documented SSNs in both CBMS and Colorado interChange indicated that these individuals appeared to be ineligible for the Medicaid claims payments that were made on their behalf during the fiscal year. The Department indicated that the remaining 1,280 beneficiaries without an SSN in Colorado interChange did not have an SSN in CBMS at the time of the claim but had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. Since the individuals lacked an SSN within Colorado interChange at the time of the Fiscal Year 2019 claims payments, and based on the documentation provided by the Department, we were unable to determine whether the individuals had submitted an SSN at the time of application or upon another event as required and, therefore, whether they were eligible for the Medicaid services they received. Overall, for the 1,590 beneficiaries noted, we identified known questioned costs of $2,285,757 for the period of July 1, 2018, through March 31, 2019; $1,142,879 of these costs were paid with federal grant funds. For the 1,280 beneficiaries noted, we identified likely questioned costs of $2,255,163 for the period of July 1, 2018, through March 31, 2019. We further analyzed 49 of the 1,590 beneficiaries noted above to identify reasons for missing SSNs and found that: ? Beneficiaries in CBMS were not eligible; however, they were marked as ?eligible? within Colorado interChange. ? Beneficiaries were incorrectly enrolled in the Eligible Needy Newborn Program even though they were all over the age of 1; as a result, although the Department had not required them to provide an SSN, they continued to receive benefits during July 1, 2018, through March 31, 2019. ? Beneficiaries were exempted from obtaining an SSN for unallowable reasons including ?incomplete documents? and ?illness? categories, and CBMS processed their eligibility and Colorado interChange made payments on their behalf; however, neither federal nor state regulations allow such exemptions. The Department has indicated that they are performing additional research on the issues regarding the 1,280 beneficiaries that had an SSN ?at some point? during Fiscal Year 2019 or prior within CBMS. WHY DID THESE PROBLEMS OCCUR? For 1,280 beneficiaries identified who were missing an SSN in Colorado interChange and CBMS at the time of the claim, but had an SSN ?at some point? within CBMS during Fiscal Year 2019 or prior, the Department provided the following possible explanation: The SSN was removed due to caseworkers failing to contact the OIT Service Desk for proper approval for changes to SSN information in CBMS. Other problems with missing SSNs were related to: ? CBMS ISSUES. CBMS was not programmed to appropriately deny an applicant?s eligibility for Medicaid when the individual did not have an SSN in CBMS and did not have an allowed exception noted in CBMS. Rather, CBMS allowed the SSN field to be left blank, regardless of the reason noted for the missing SSN and whether the reason was allowed as an exemption by federal and state regulations. In addition, the SSN in CBMS could be deleted at any time by the caseworker or the OIT Service Desk and CBMS was not programmed to alert the caseworker to follow up if an SSN had been deleted from the file. ? SYSTEM INTERFACE ISSUES AND LACK OF A RECONCILIATION PROCESS. CBMS was not interfacing with Colorado interChange appropriately to update beneficiaries? eligibility information. Some beneficiaries who were deemed ?ineligible? for Medicaid in CBMS were listed as ?eligible? in Colorado interChange and payments were made on their behalf during the fiscal year. Furthermore, the Department lacked an effective internal control process for reconciling Medicaid beneficiaries? eligibility information in CBMS to the eligibility information in Colorado interChange to ensure that the information was consistent in both systems, and that the beneficiary was appropriately deemed either ?eligible? or ?ineligible? in accordance with federal and state regulations. ? LACK OF EFFECTIVE REVIEWS, TRAINING, AND MONITORING. The Department was not effectively monitoring and training Medicaid local county and MA site caseworkers on required approvals for any changes to beneficiaries? SSNs. Further, the Department did not have an effective review process to ensure that beneficiaries were enrolled in the correct Medicaid program. WHY DO THESE PROBLEMS MATTER? As the state Medicaid agency, it is essential for the Department to ensure that Medicaid eligibility determinations are made appropriately and in accordance with state and federal regulations. This includes ensuring accurate processing of information used to determine Medicaid eligibility results in Medicaid benefits being provided to and paid on behalf of only eligible individuals. Since CBMS and Colorado interChange determine eligibility and issue payments on behalf of other federal programs, such as the CBHP, these issues could result in erroneous eligibility determinations or payments for other programs. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2019-043 The Department of Health Care Policy and Financing should improve its internal controls over Medicaid eligibility by: A Researching and, if feasible, instituting a mechanism for identifying Medicaid cases in the Colorado Benefits Management System (CBMS) that lack a Social Security Number. B Researching and resolving CBMS and Colorado interChange interface issues to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries and establishing an effective reconciliation process between CBMS and Colorado interChange to ensure that Medicaid beneficiaries? eligibility information is consistent in both systems. C Effectively training and monitoring local counties and Medical Assistance sites to ensure that caseworkers are obtaining and documenting the Office of Information Technology Service Desk?s approval for changes to beneficiaries? Social Security Numbers, and that beneficiaries are enrolled in the correct Medicaid program. D Researching the cases identified in our audit to determine whether these beneficiaries were eligible and that the payments made on their behalf were appropriate, in accordance with federal and state regulations. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN) unless they meet certain acceptable exceptions at initial application. Since CBMS is a shared system between the Department and the Department of Human Services and any change would impact all cases in CBMS, the Department cannot guarantee that a system change can be implemented. The Department can agrees to research on the feasibility of instituting a mechanism for identifying Medicaid cases in CBMS that lack a social security number and, if feasible, implement a CBMS change by July 2022. B AGREE. IMPLEMENTATION DATE: JULY 2021. The Department agrees to research and resolve Colorado Benefits Management System (CBMS), and Colorado interChange system interface issues identified in the audit. The Department implemented a system change in June of 2018 that allows retroactive changes in eligibility to be correctly synced between the systems. The majority of the impacted cases are historical cases that will be manually corrected by June 2020. Additional cases involve detailed research, review, and potential outreach to case workers to correct the case file or verify the eligibility status of the impacted members. The Department will take the appropriate actions to notify impacted members if necessary. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2021-22. C AGREE. IMPLEMENTATION DATE: JULY 2021. The Department provides training to counties and Medical Assistance sites that beneficiaries applying for Medical Assistance must supply a Social Security Number (SSN) or supply verification that they have applied for an SSN, unless they meet certain acceptable exceptions. This information has been communicated to the counties since 2004 and is part of our ongoing training materials. The Department cannot agree to establish any additional review process at this time. The Department can agree to work with counties and Medical Assistance sites to identify any additional training related to missing SSN and implement additional training by July 2021. D DISAGREE. The Department disagrees with the Total Known Questioned Costs of $2,285,757 identified in the audit report since Department cannot verify the results. The Department is still attempting to reconcile various reports to understand the finding identified through this audit. CBMS currently has functionality in place for members requesting Medical Assistance that they must supply a Social Security Number (SSN), unless they meet certain acceptable exceptions at initial application. The Department does not have the resources to research the thousands of cases that the auditor identified through data mining techniques, a new methodology for the first time this year. If the auditor is changing methodologies, the Department requires additional resources and timely notice to request resources through the budget process. AUDITOR?S ADDENDUM: The beneficiaries identified through our testing were required by Medicaid regulations to provide an SSN at the time of application or upon another event, as applicable, and the SSN is documented in CBMS and uploaded to Colorado interChange [State regulations 10 CCR 2505-10, 8.100.3.I.1 and 8.100.4.B.1.a and 8.100.4.G.7.a]. Because the noted beneficiaries lacked an SSN within Colorado interChange at the time claims payments were made on their behalf, we questioned the beneficiaries? eligibility. The Department is responsible for ensuring that only individuals who are appropriately deemed eligible for Medicaid receive benefits. Therefore, it is the Department?s responsibility to identify and remove ineligible individuals from the Medicaid program and to prevent the inappropriate payment of claims on their behalf. In addition, generally accepted government auditing standards (GAGAS) (paragraph 3.18), require that ?In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.? Additionally, paragraph 3.42 states that ?Examples of circumstances that create undue influence threats for an auditor?include (b) [e]xternal interference with the selection or application of engagement procedures or in the selection of transactions to be examined.? Therefore, it is imperative that our decisions related to audit approaches and testing methods be made without department influence or persuasion.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-056 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-044 PROVIDER ELIGIBILITY Medicaid and CBHP cover a variety of medical and related services, which are provided by provider types such as clinics and hospitals, managed care organizations such as health plans or independent physicians, as well as individual medical providers working within these entities or individually. As of June 30, 2019, the Department had enrolled approximately 71,000 entities and individuals for providing services under Medicaid and CBHP. The Department is ultimately responsible for determining if providers are eligible to participate in Medicaid and CBHP. However, the Department has contracted with a fiscal agent, currently DXC Technology Services, LLC (DXC), to act on its behalf in determining Medicaid and CBHP provider eligibility. A fiscal agent is a contractor that performs certain provider enrollment and claims processing activities, including accepting, processing, evaluating, and approving or rejecting applications. The fiscal agent also assesses the providers into one of three risk categories?limited, moderate, and high?to ensure that appropriate federal and state regulations are applied during the provider enrollment process. Providers that want to enroll must complete an application within Colorado interChange and provide documentation, including a current business and/or medical license, showing that they fulfill all enrollment requirements. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over Medicaid and CBHP provider eligibility and enrollment processing, and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2019. Additionally, the purpose of our work was to determine the Department?s progress in implementing our Fiscal Year 2017 and 2018 recommendations related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls over Medicaid and CBHP provider eligibility determination and enrollment to ensure that it complies with federal and state requirements related to data verification, documentation including current provider licenses, monitoring policies and procedures, appropriate indication of results of database matches, and consistent display of provider information within Colorado interChange. The Department agreed with our recommendations and stated that it would implement them by Fiscal Year 2019. We reviewed a sample of 25 Medicaid provider applications for individual, company, and managed care providers that were deemed eligible and received payments during Fiscal Year 2019 through Colorado interChange for services provided. We obtained and reviewed the provider application information entered into Colorado interChange, as well as the supporting documentation uploaded into Colorado interChange by providers, to determine whether these providers were accurately deemed eligible to receive Medicaid payments and whether the required documents were present in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid provider eligibility and enrollment. We also obtained a detailed Suspension Listing from the Department of Regulatory Agencies, which contained health care provider business and medical licenses that were terminated during Fiscal Year 2019. We compared the Suspension Listing with provider information in Colorado interChange to determine if the Department made inappropriate claims payments to unlicensed providers during the fiscal year. Because CBHP is operated through Medicaid, and the processes followed for provider eligibility and enrollment for CBHP providers are the same as the processes for Medicaid providers, our testing looked at compliance for both programs. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY AND HOW WERE THE RESULTS MEASURED? We found that the Department did not fully comply with federal and state Medicaid regulations for provider eligibility during Fiscal Year 2019. Specifically, although we did not identify enrollment issues with the Department?s processing of providers who were newly enrolled during Fiscal Year 2019, we found at least one issue related to ongoing eligibility with all 25 sampled providers we tested: ? DATABASE MATCHES AND DISPLAY OF PROVIDER INFORMATION. We identified the following database match functionality issues with 24 of 25 providers (96 percent) tested: ? For 23 of 25 providers (92 percent) that included individual, company, and managed care providers, Colorado interChange showed that the provider?s owners, agents, and managing employees? SSNs were not verified against federal databases, as required. Specifically, the SSN check box within Colorado interChange indicated ?N,? meaning ?No verification was performed with the database.? Additionally, for one of 25 providers (4 percent) that was a managed care organization, the organization was enrolled in Colorado interChange in April 2019 and showed that the SSNs had been verified, but SSNs for two individuals who worked under this provider that were listed on the application were shown as ?N? within the system. ? For eight of 25 providers (32 percent) that included companies, Colorado interChange showed that the providers? Federal Employee Identification Numbers (FEIN) were not verified against federal and state databases, as required. Specifically, the FEIN check box within Colorado interChange indicated ?N.? ? For 13 of 25 providers (52 percent), Colorado interChange did not present the data of owners, agents, and managing employees information consistently between various screens within Colorado interChange. For example, when a provider noted owners, agents, or managing employees on its application, that information was not reflected in Colorado interChange outside of the application screen even though there is a section in Colorado interChange that should list the owners? information. According to federal regulation [42 CFR 455.436] and requirements established by the ACA [Patient Protection and Affordable Care Act (2010), Section 6401(a)], the Department must check federal databases to confirm providers? identity and determine whether providers are excluded from participating in the Medicaid program; this verification must also occur, if applicable, against providers? owners, agents, and managing employees. For example, the Department must check the federal exclusion databases at least monthly to ensure that the providers, owners, agents, and managing employees are not excluded from participating in the Medicaid program. Colorado interChange is designed to display provider application information consistently between various screens within the system, such as name, SSN, FEIN, and/or National Provider Identification number (NPI), with various federal and/or state databases to identify potential errors and to flag the application for a required caseworker manual review. According to Department staff, when Colorado interChange successfully verifies provider-provided information against another state or federal database, Colorado interChange should separately mark each verified data field on the application to note the successful match. Conversely, if Colorado interChange does not match a given field against a database, it should also be identified in the system. As a result of these issues, we were unable to determine if Colorado interChange performed the required matches and if any discrepancies in provided information were identified and presented to DXC, the fiscal agent, for a manual review to verify eligibility, as required. ? DOCUMENTATION. The Department did not maintain sufficient documentation within Colorado interChange for the receipt date of the fingerprints from the provider, the collection of application fees, and site visits, as follows: ? For four of 25 providers (16 percent) tested, the Department?s fiscal agent failed to fill in the receipt date field within Colorado interChange to indicate when fingerprints were received from enrolling providers. After bringing this issue to the Department?s attention, the Department provided fingerprinting documentation in November 2019 to support that these providers submitted fingerprints within 30 days of Department request in accordance with federal regulation; however, that receipt date information had not been documented in Colorado interChange as of November 2019. ? For one of 25 providers (4 percent) tested, the provider was assessed as high risk but the provider?s file did not contain evidence that an application fee was collected or that the fiscal agent conducted a site visit, as required. Under federal requirements [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001(3))], the Department ?must be able to produce documentation to support each of the provider screening and enrollment requirements,? such as requirements for fiscal agent-conducted site visits of moderate and high risk providers during the enrollment and revalidation process. Federal regulation [42 CFR 455.432] states that the State Medicaid Agency or their fiscal agent must conduct pre- and post-enrollment site visits of providers who are deemed as moderate or high risk to the Medicaid program. The purpose of the site visits is to verify that the information submitted to the state Medicaid agency is accurate and to determine compliance with federal and state enrollment requirements. Additionally, the Department?s contract with DXC requires the fiscal agent to maintain detailed documentation and procedures for Medicaid provider enrollment. Federal regulation [42 CFR 455.434] requires that, for any provider assessed by the Department as high risk, the Department must obtain fingerprints from the provider, including fingerprints for any person(s) who has a 5 percent or more direct or indirect ownership interest in the provider and furnishes medical or pharmaceutical services or supplies. The provider must submit the fingerprints within 30 days, upon request by the Department. Federal regulation [42 CFR 455.460(a)] states that the Department must collect the applicable application fee prior to executing a provider agreement from a prospective or re-enrolling provider, with certain limited exceptions. According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book Paragraph 16.01, Perform Monitoring Activities, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement. ? INELIGIBLE PROVIDERS: Based on our review of the suspended license listing from the Department of Regulatory Agencies, we identified three providers that had their licenses suspended during part of Fiscal Year 2019 but continued to be shown as active in Colorado interChange, as follows: ? One provider had its license suspended between February 11, 2019, and March 27, 2019; however, during this timeframe, the provider continued to bill claims and receive payments from Colorado interChange. After we questioned the Department about the issue, the Department issued a demand for payment letter dated October 18, 2019, to the provider for $15,061 in payments that were inappropriately paid. We consider these $15,061 payments to be known questioned costs; $7,531 of these payments were made with federal grant funds. ? Two providers had suspended licenses as of September 21, 2018, and February 25, 2019, respectively, but showed as active in Colorado interChange through June 30, 2019, and therefore appeared eligible to bill claims and receive payments. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended and did not identify any questioned costs associated with these two providers. Federal regulation [42 CFR 455.412] requires that the Department must have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In addition, state regulation [10 CCR 2505-10 8.125.9, Verification of Provider Licenses] states, ?If a provider is required to possess a license or certification in order to provide services or supplies in the State of Colorado, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations.? Under the federal regulation, Requirements for Estimating Improper Payments in Medicaid and CHIP [42 CFR 431.958], ?Improper payment means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and payment means any payment to a provider, insurer, or managed care organization for a Medicaid or CHIP beneficiary?? WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over provider eligibility and claims payment processes related to the monitoring of DXC, its fiscal agent, during Fiscal Year 2019 to ensure that it complied with federal and state regulations. Specifically, Colorado interChange required fixes that were in various stages of correction during Fiscal Year 2019. According to the Department, Colorado interChange required a system fix in December 2018 in order to properly mark and/or display results related to federal and state database checks going forward; however, the system fix did not completely resolve the display issues to accurately indicate whether the data matches had occurred, and the Department did not retroactively make corrections to any cases that erroneously indicated that their information had not been verified. Rather, the Department stated that the inconsistent display issue related to providers that enrolled in the program when Colorado interChange was initially implemented and that this will be addressed after these providers are revalidated in Fiscal Year 2020 or when a provider updates their information, whichever occurs first. Additionally, the Department indicated that Colorado interChange did not have an automated system alert to check with the Department of Regulatory Agencies? license database on a regular basis to notify the fiscal agent and/or the Department that a license had expired. Although the Department reported that they had an interim manual process to ensure that expired licenses were identified and that subsequent steps were taken to ensure that providers remained eligible throughout the fiscal year to provide Medicaid services, the manual process did not identify and/or address the instances that we identified through our audit. Finally, we noted that the Department lacked an effective monitoring process over DXC, its fiscal agent, to ensure that the required documentation was maintained in accordance with Uniform Guidance, as the monitoring policies and procedures referred to as Provider Enrollment Audit Process were still in the draft stage during Fiscal Year 2019 and had not been formalized. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including system controls and monitoring, are in place over the Medicaid provider eligibility and enrollment processes, the Department cannot ensure that all Medicaid providers are eligible or qualified to participate in the program. Additionally, without instituting a process to regularly update provider licensure information and to ensure that provider information contained in Colorado interChange is consistent and accurate, the Department cannot ensure that the enrolled providers are appropriately screened and are eligible to receive payments. Ensuring that providers contained in Colorado interChange are qualified to provide services is especially important because Colorado interChange is also used for provider eligibility determination for CBHP. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows non-qualified providers to bill and be paid for services provided for these programs. RECOMMENDATION 2019-046 The Department of Health Care Policy and Financing (Department) should improve its controls over Medicaid and Children?s Basic Health Plan (CBHP) program provider eligibility determination and enrollment to ensure that it complies with federal and state requirements by: A Working with its fiscal agent to ensure that Colorado interChange performs all required database matches and properly displays results of Social Security Number and Federal Employer Identification Number verifications for all providers. B Establishing an effective process to ensure that provider licensing information contained in Colorado interChange is current, that any expired licenses are identified, and that any ineligible providers are disallowed from providing Medicaid and CBHP services and receiving payments in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). C Formalizing the Department?s monitoring policies and procedures called Provider Enrollment Audit Process over the fiscal agent to ensure required documentation is maintained in accordance with Uniform Guidance. D Ensuring that Colorado interChange displays provider information consistently throughout the system. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department is working with its Fiscal Agent to ensure all required database screenings are performed and clearly identified in the Colorado interChange. An issue was identified in a prior year, FY 2018-19, that not all screening information was consistent. There was also a concern that initial screenings might miss some individuals due to the way data was formatted when transferred from LexisNexis. The issue was resolved by the Fiscal Agent prior to FY 2019-20. The Fiscal Agent is continuing to conduct manual reviews of all screening results to ensure compliance. A separate process to screen providers monthly is executed by the Department's Program Integrity Section. Through this process, no providers were found to have been enrolled incorrectly and, as necessary, the Department took appropriate action if there were changes to a provider's information. The Department is working with its Fiscal Agent to properly display results of Social Security Number and Federal Employer Identification Number verifications for all providers and automate the review process. The Department's implementation date reflects that the Department will complete the improvements and be in compliance with the Recommendation for the entirety of FY 2022-23. B DISAGREE. The Department finds that the Colorado interChange is working as designed, that the Fiscal Agent is appropriately enrolling providers, and that the Department is in compliance with the federal regulations regarding enrolling and revalidating providers. The Department is compliant with 42 CFR ? 455.436, which requires providers to be screened at enrollment and revalidation. All providers are assessed for eligibility requirements at enrollment and revalidation and are then screened monthly to identify any changes. For the licensing issue identified in this audit report, the Department performed the appropriate actions to recover funds within less than a month of the incident, which is compliant with federal regulation 42 CFR ? 455.436(c)(2). AUDITOR?S ADDENDUM: As noted in the finding, we found issues with the Department?s ongoing verification and monitoring of providers? eligibility that failed to prevent improper payments to an ineligible provider during the fiscal year. In addition, the Department did not send notification to recover funds from the provider until October 2019, or 8 months after the provider?s license was suspended. C AGREE. IMPLEMENTATION DATE: JULY 2020. The Department finalized the Fiscal Agent monitoring policies and procedures in December 2019 and therefore was unable to be in full compliance for the entire FY 2019-20. The Department's implementation date reflects that the Department will be in compliance with the Recommendation for the entirety of FY 2020-21. D DISAGREE. There was an initial system configuration on some early enrollments that prevented populating the requested information in the visible provider subsystem tabs for the auditor to review. The verification functionality happens within the provider portal and not in the visible provider subsystem tabs that the auditor reviews. However, no functionality or data was lost, the information only appeared and was stored in the provider portal. The Department implemented a solution so that the information will be displayed in the provider subsystem. This change is pending the next update the providers make and the data will be visible in the provider subsystem. The Department will not be making historical changes to the system. The Department has worked with the Fiscal Agent to resolve the issues which led to the finding and does not believe that expending additional resources to display historical information in both the provider portal and the provider subsystem is the best use of resources. The Department can produce the information manually. AUDITOR?S ADDENDUM: The data inconsistency issues we identified through our audit were based on our reviews of Colorado interChange through the access provided to us by the Department. As noted in the finding, inconsistent information within the provider eligibility screens used for Medicaid and CBHP increases the risk of inaccurate reviews of provider eligibility and ultimately, inappropriate enrollment screening. Therefore, as our recommendation states, the Department should ensure that Colorado interChange displays provider information consistently. The recommendation did not include restatement of historical information.
Finding 2022-043 Medicaid Claims Payments Individuals and families apply for Medicaid at their local county departments of human/social services or at MA sites. Medicaid caseworkers make the determinations of participants? eligibility to receive Medicaid benefits through CBMS. Children in the State?s foster care program, whose information is documented in the TRAILS system, are automatically determined eligible for Medicaid benefits. The Medicaid eligibility data in CBMS and TRAILS feeds into Colorado interChange, which pays providers for the services that beneficiaries receive. CBMS and TRAILS interface with Colorado interChange on a daily basis to update eligibility information, such as a beneficiary?s eligibility status and/or termination of benefits in Colorado interChange. According to the Department, Colorado interChange is programmed to make only allowable Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. Thus, Colorado interChange should stop paying Medicaid claims when a beneficiary is no longer eligible for Medicaid. On March 18, 2020, the Act was enacted. The Act provided a temporary increase in the federal share of Medicaid and CBHP assistance from January 1, 2020 until the end of the PHE. The Act also required that the Department maintain Medicaid and CBHP eligibility for beneficiaries enrolled as of March 1, 2020, through the end of the COVID-19 PHE, except for the required terminations noted within the CMS waivers, such as out-of-state residency, termination upon the beneficiary?s request, and death of the beneficiary. On March 26, 2020, CMS approved waivers for a number of Medicaid and CBHP requirements that resulted in, for example, the expansion of benefits to include all uninsured individuals; suspension of beneficiary deductibles, copayments, coinsurance, and other cost sharing charges and fees; coverage of COVID-19 vaccines and testing; and the suspension of the requirement for a provider to have a current license if their license expired during the COVID-19 PHE. In addition, the State implemented, with CMS? approval, Medicaid continuous enrollment as a condition of receiving the temporary increase in federal assistance. During continuous enrollment, beneficiaries could not be disenrolled due to changes in circumstances (i.e., changes in household composition, employment, income and resources) until the end of the COVID-19 PHE. On December 29, 2022 the CCA was enacted. Under the CCA, continuous enrollment and the temporary increase in federal assistance are no longer linked to the end of the COVID-19 PHE. The continuous enrollment condition will end on March 31, 2023 and the increase in federal assistance will start to gradually reduce in April 2023, fully ending in December 2023. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s progress in implementing our Fiscal Year 2019 audit recommendation related to its internal controls over Medicaid claims payments. During that audit, we recommended that the Department improve its Medicaid controls by researching and resolving CBMS, TRAILS, and Colorado interChange interface issues we identified during our audit to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. We specifically identified a TRAILS and CBMS eligibility mismatch issue related to the daily interfaces between CBMS and Colorado interChange and between TRAILS and Colorado interChange. As a result, some individuals who were deemed ineligible for Medicaid in CBMS and TRAILS were indicated as eligible in Colorado interChange at the time of payments; therefore, Colorado interChange made payments on their behalf. The Department researched the specific errors we identified during the audit and manually corrected the eligibility status of those beneficiaries, but the Department had not fully researched the error or identified and corrected all of the cases affected by the errors at that time. As such, we also recommended that the Department identify and correct any additional cases affected by the system issues noted in our audit. The Department agreed with the recommendation and stated that it would implement them by July 2021. As part of our audit work, we discussed the Department?s progress in implementing our audit recommendation with Department staff. According to the Department, it worked with the Department of Human Services (DHS) during Fiscal Year 2022 to develop a plan to eliminate the issues, including the TRAILS eligibility mismatch issue, we identified in the Fiscal Year 2019 audit. In order to address our recommendation that the Department identify and correct any additional cases affected by the system issues noted during our Fiscal Year 2019 audit, the Department developed an eligibility reconciliation report that compares beneficiary records with an active eligibility span in Colorado interChange, in order to identify any records that were not reported in the monthly eligibility file from CBMS. Department staff reported that they are reviewing the reconciliation report monthly to identify any beneficiary records that need updating in CBMS. Beneficiaries may show up on the reconciliation report either because (1) Colorado interChange rejected the beneficiary?s eligibility due to a data integrity issue, or (2) there was a system defect in CBMS, Colorado interChange, or TRAILS that caused a mismatch issue. Data integrity issues include issues such as a missing mailing address or last name?these issues can be manually fixed in CBMS. System defect issues are generally more complex and require Department staff to research the problem and identify the system that caused the error (CBMS, Colorado interChange, or TRAILS), and then work with the appropriate staff to correct the issue. As part of our audit, we requested copies of the Department?s eligibility reconciliation reports for Fiscal Year 2022 and asked the Department if it identified any additional cases affected by the system issues we identified, and if so, if they had they corrected the issues. How were the results of the audit work measured? We measured the results of our audit against the following: ? Federal regulation [42 CFR 447.56(e)(2), Limitations on Premiums and Cost Sharing] states that federal funding will not be provided for payments made by the Department to providers for services rendered to individuals who are not eligible for Medicaid. ? The Act [Section 2, Division F, Sec. 6008, Temporary Increase of Medicaid FMAP] temporarily increased the federal medical assistance percentage (FMAP) by 6.2 percentage points, effective from January 1, 2020 until the end of the PHE. The Act requires states to maintain Medicaid and Children?s Health Insurance Program (CHIP) eligibility for beneficiaries enrolled as of March 1, 2020 through the end of the PHE (with certain exceptions) in order to receive the increased FMAP assistance (the ?continuous enrollment requirement?). The PHE remained in effect during the entirety of Fiscal Year 2022 through June 30, 2022. ? According to federal regulation [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office, Paragraph 16.01, Perform Monitoring Activities, which states that the Department should establish and operate monitoring activities to monitor its internal control system and evaluate the results. Monitoring activities include reviewing reports, performing reconciliations, and observing operations. What problems did the audit work identify? We determined that the Department did not fully implement our Fiscal Year 2019 recommendation related to Medicaid claims payments by the July 2021 due date it originally provided. Specifically, while the Department has started working with DHS on a plan to resolve the TRAILS eligibility mismatch issues and started preliminary work on the project, the project was still ongoing as of June 30, 2022. In addition, the Department?s system enhancements to CBMS and Colorado interChange were not fully executed because of the ongoing PHE. Once the PHE ends and the Department executes the system enhancements, the Department has indicated the system will begin to correct the CBMS and Colorado interChange mismatches. Finally, although the Department has identified additional beneficiary records that require updating in CBMS, it did not correct the identified issues in the system. Specifically, the Department identified approximately 32,800 separate beneficiaries that were flagged as having an eligibility issue through the Fiscal Year ending June 30, 2022. However, per Department staff, they are unable to tell which beneficiaries had data integrity issues versus those that were caused by a system defect. Once the continuous enrollment period ends and the Department is able to fully execute the system enhancements noted above, the Department reports that the systems will sync any error the Department has identified and will be manually corrected. Why did these problems occur? The Department indicated that it did not fully execute the CBMS and Colorado interChange system enhancements because of the Act?s ongoing continuous enrollment requirement. Specifically, because the Department was required to maintain Medicaid and CBHP beneficiaries enrolled as of March 1, 2020 through the entirety of Fiscal Year 2022 due to the continuous enrollment requirements in place, they were unable to fully execute the CBMS and Colorado interChange system enhancements that would fix the data integrity issues identified during the Fiscal Year 2019 audit. Why do these problems matter? Making payments to ineligible individuals can result in the Department having to repay the federal government for the federal portion of the overpayments. Further, because Colorado interChange makes payments on behalf of other federal programs, such as CBHP, system issues with Colorado interChange could result in erroneous payments for other programs. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-043 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid claim payments by: A. Continuing to work with the Department of Human Services to fully implement the plan to eliminate the Colorado interChange issues between Colorado Benefits Management System (CBMS), TRAILS, and Colorado interChange to ensure that Colorado interChange only pays provider claims on behalf of eligible beneficiaries. B. Continuing to review the monthly eligibility reconciliation reports and identifying beneficiary records that need updating, and making necessary corrections in CBMS once the continuous enrollment condition ends. Response Department of Health Care Policy and Financing A. Partially Agree Implementation Date: April 2023 The Department and CBMS teams have strengthened their internal controls to ensure payments are only made to providers for eligible members. The Department and CBMS teams will update all member records identified on the Monthly Reconciliation report once the Public Health Emergency ends. TRAILS team has provided additional training to the Case Managers to prevent data integrity issues being submitted to CBMS and interChange; however, the TRAILS team does not plan to update the system's internal controls until funding is available. Auditor?s Addendum Our responsibility under federal audit regulations is to report to the federal government when we identify Medicaid payments that may not have been made on behalf of eligible individuals or costs that we question as appropriate. It is ultimately the Department?s responsibility to have internal controls in place over its federal awards which provide reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions B. Agree Implementation Date: April 2023 The Department agrees to review the monthly eligibility reconciliation report and is looking forward to resolving the member records once the Public Health Emergency ends to fully resolve the audit finding.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-042 Medical Loss Ratio Reporting for Managed Care Entities The Department contracts with Managed Care Entities (MCEs) to provide managed care health plans and deliver health care services to eligible Medicaid and CBHP beneficiaries and pays MCEs monthly fixed amounts, known as capitation payments, based on rates determined by actuaries for the provision of services covered under the contract. The Department pays the MCEs monthly capitation payments on behalf of each Medicaid and CBHP beneficiary enrolled in the MCE?s plan. MCEs then coordinate services for the eligible Medicaid and CBHP beneficiaries and providers participating in the managed care system bill the MCEs directly for any medical services provided to Medicaid and CBHP beneficiaries. The MCEs are then responsible for paying the providers for the Medicaid and CBHP claims. The Department contracts with three different types of MCEs?Managed Care Organizations (MCO), Prepaid Inpatient Health Plans (PIHP), and Primary Care Case Management (PCCM) Entities. During Fiscal Year 2021, the Department had a total of 8 contracts with 10 MCEs, with two pairs of MCEs sharing a single contract with the Department. The Department is responsible for monitoring the MCEs to ensure they are complying with federal regulations and their contract provisions, including requirements that the MCEs annually submit Medical Loss Ratio (MLR) reports to the Department. The MLR is the proportion of state and federal Medicaid and CBHP funds that the MCE used for medical services compared to the funds used for its administrative costs. MCEs are required by both federal regulations and their Department contract provisions to have an MLR above 85 percent (i.e., an MCE?s administrative costs cannot exceed 15 percent) except for specific exceptions defined in federal regulations. If the MLR is below 85 percent, the MCE must pay back the state and federal government for the amount that caused the MCE to fall below 85 percent. Every fiscal year, the Department provides an MLR reporting template for the MCEs to complete and return to the Department. The Department reported that when it receives the completed templates, staff review the information provided by the MCEs and compare it to supporting documentation to ensure it is accurate and complete. Once the Department has reviewed the MLR reports submitted by the MCEs, the Department submits the MLR reports to CMS, which are due by June 30 of the year following the end of the MLR reporting year. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation to CMS by June 30, 2021. During Fiscal Year 2021, the Department reported that it paid approximately $1.4 billion in Medicaid and CBHP capitation payments to MCEs for medical services, not including the capitation payments for other services, such as administrative costs. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department?s internal controls and compliance over ensuring that MLR reports submitted to CMS by the Department include all the required information in accordance with federal regulations during Fiscal Year 2021. The audit work included making inquiries of Department staff regarding the Department?s documented policies and procedures over obtaining and reviewing MLR reports from each MCE. In addition, we requested and reviewed all MLR reports submitted to the Department by the 10 MCEs that were under contract with the Department in Fiscal Year 2021 to determine whether the MLR reports included all information required by federal regulations and were submitted within the required timeframes. How were the results of the audit work measured? Federal regulations [42 CFR 438.8(k)] require that the Department ensure each MCE under contract with the Department submits a report with the data elements specified in 42 CFR section 438.8(k)(1). The reports are specifically required to contain 13 required data elements, reflect the correct reporting years, and contain an attestation of accuracy regarding the calculation of the MLR. The 13 data elements include items such as total incurred claims, the methodology for allocating expenditures, the calculated MLR, and a comparison of the information reported in the MLR report to the MCE?s audited financial report. Federal regulations [42 CFR 438.8(g)] note that the method used to allocate expenses in the MLR calculation must be: ? Based on a generally accepted accounting method that is expected to yield the most accurate results; ? Any shared expenses must be apportioned pro rata to the contract incurring the expense; and ? Expenses that relate solely to the operation of a reporting entity must be borne solely by the reporting entity and are not to be apportioned to other entities. Federal regulations [42 CFR 438.8(k)(2)] require MCEs to submit the MLR report in a timeframe and manner determined by the Department, which must be within 12 months of the end of the MCE?s reporting year. The Department?s contract provisions for MCEs state that the MLR reporting year should align with the State?s fiscal year, beginning on July 1 and ending on June 30 of the subsequent calendar year. Contract provisions also state that each MCE shall submit to the Department the completed MLR calculation template and supporting documentation for each reporting year by the following January 15. For example, an MCE with a reporting year ending June 30, 2020, would be required to submit the MLR calculation template to the Department by January 15, 2021, and the Department would be required to submit the MLR calculation to CMS by June 30, 2021. What problems did the audit work identify? We reviewed all reports provided to the Department by the 10 MCEs during Fiscal Year 2021 (for the MLR reporting year ended June 30, 2020) and determined that none of the MLR reports submitted by the 10 MCEs to the Department contained all of the required data elements in Fiscal Year 2021. Specifically, the MLR reports were missing 2 of the 13 (15 percent) required data elements: the methodology for the MCEs? allocation of expenditures and a comparison of the information reported in the MLR report to the MCEs? audited financial reports. This omission is significant because the MCEs reported total medical expenditures ranging from $20.5 million to $208.4 million and earned revenue from $23.4 million to $219.1 million. In addition, we determined that 1 of the 10 MLR reports received in Fiscal Year 2021 (10 percent) had not been submitted to CMS as of April 2022. This report was due to CMS on June 30, 2021. Why did these problems occur? We found that the Department lacked adequate controls to ensure that MLR reports submitted by the MCEs fully complied with federal regulations. First, we noted that although the Department?s MCE contracts state the MCE?s MLR report should include all 13 federally required data elements, the MLR template the Department provided to the MCEs did not include specific sections addressing the two missing federally-required data elements. As a result, the MCEs did not submit this information. Furthermore, the Department did not have written policies and procedures for reviewing completed MLR reports to ensure the reports ultimately included those requirements. Second, the Department does not have an enforcement mechanism to ensure the MCEs provide corrected MLR report information in a timely manner. The Department reported that it had not submitted the one MLR report to CMS because it had open questions on the MLR report and was unable to verify that the information was correct, valid, and in compliance with federal regulations. Although the Department sent the MLR report back to the MCE for correction several times, the Department did not have sufficient controls in place to ensure the MCE ultimately provided the corrected report back to the Department within the required reporting timeline for CMS submission. Why do these problems matter? The Department is responsible for ensuring MLR reports are obtained and submitted to CMS in accordance with federal regulations and that MCEs have an MLR above 85 percent. While all 10 MCEs reported that their MLRs were above 85 percent for the reports submitted during Fiscal Year 2021, without providing all required data elements, neither the Department nor the federal government can validate that this percentage is accurate. By not including the methodology for the MCE?s allocation of expenditures, the Department, and ultimately CMS, are unable to confirm that each type of expense is being allocated correctly and that any shared expenses are being prorated appropriately. Additionally, by not including a comparison of the information reported in the MRL to the MCE?s audited financial report, the Department is unable to confirm that the information the MCE used to calculate their MLR is accurate. Overall, without effective internal controls in place, the Department risks providing MLR reports to CMS that contain inaccurate or incomplete information or that the MLR is below 85 percent and the Department does not catch the error. As a result, state and federal funds could be used disproportionately on administrative costs rather than medical services, which would negatively impact the quality of care Medicaid and CBHP beneficiaries receive. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2021-042 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over Medical Loss Ratio (MLR) reporting by: A. Updating its MLR report template provided to Managed Care Entities (MCEs) to comply with federal regulations and developing and implementing written policies and procedures. These policies and procedures should include the requirement for MCEs to submit MLR reports that include the data elements required by federal regulations and specify the Department?s review process of those MLR reports to ensure they include accurate and complete information. B. Developing an enforcement mechanism to ensure it receives accurate and corrected information from the MCEs in a timely manner so the Department is able to complete its validation process of MLR reports and meet the June 30 deadline for report submission to the Centers for Medicare & Medicaid Services. Response Department of Health Care Policy and Financing A. Agree Implementation Date: December 2022 The MLR report template has been updated and will now be reviewed at least yearly by the Department. In addition, new written policies and procedures are being developed and will be implemented before the submission of the next MLR for review. B. Agree Implementation Date: January 2023 The Department will add contract language and enforcement mechanisms in order to receive accurate information in a timely manner. This includes specific timelines for correcting incomplete or inaccurate information in order to submit the MLR report timely to the Centers for Medicare & Medicaid Services.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2020-052 The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and Significant Deficiencies were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2021, because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and within Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-039 PROVIDER ELIGIBILITY The providers of medical and related services covered under Medicaid and CBHP programs fall into a wide array of provider types that include clinics, hospitals, independent physicians, and medical technicians, as well as managed care organizations and health plans that contract with medical providers. As of June 30, 2020, approximately 76,960 entities and individuals were enrolled with the Department to provide services under Medicaid and CBHP. Although the Department is ultimately responsible for ensuring that only eligible providers participate in the Medicaid and CBHP programs, the Department has contracted with a fiscal agent to perform certain provider-enrollment and claims-processing activities, including accepting, processing, evaluating, and approving or rejecting applications. Providers that want to enroll must complete an online application within Colorado interChange and provide documentation, including a current medical license, showing that they fulfill all enrollment requirements based on their provider type. The fiscal agent is contractually responsible for evaluating the application and the relevant supporting documentation to ensure compliance with all state and federal enrollment requirements. The Department is responsible for maintaining current provider information in Colorado interChange. Once the enrollment process is complete, the Department enters into agreements with the providers that are found to be eligible. In December 2019, the Department added a Department of Regulatory Agencies (DORA) license database interface within Colorado interChange in order to provide a mechanism for updating the provider?s medical license information including the expiration dates within Colorado interChange for any expired provider licenses. Department staff indicated that the provider licenses are manually reviewed at the time of enrollment by the fiscal agent and marked as active, meaning the providers are eligible to participate in the Medicaid and/or CBHP programs. On a monthly basis, the fiscal agent manually runs a report from the DORA database to identify the provider?s medical licenses that are about to expire and updates the renewed license information in Colorado interChange. If a provider?s license is expired, then the fiscal agent marks the provider for a review. Furthermore, the Department?s Program Integrity (PI) Division checks the DORA?s website monthly to determine if any action such as suspensions or revocations of licenses have been taken against a provider?s medical license. If the action taken against the provider affects the provider?s ability to participate in Medicaid or CBHP for a certain period, the PI Division then determines if the provider should be placed on a temporary restriction by suspending any payments, or be terminated within Colorado interChange to stop payments to the provider. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to review the Department?s internal controls over the enrollment and eligibility determinations of providers for Medicaid and CBHP services and to determine whether the Department complied with federal Medicaid and CBHP provider eligibility requirements during Fiscal Year 2020. Additionally, we assessed the Department?s progress in implementing our Fiscal Year 2019 recommendation related to provider eligibility and enrollment. At that time, we recommended that the Department improve its controls in this area to ensure that it complies with federal and state requirements related to data verification and maintenance of documentation, such as current provider licenses, to ensure payments are only made to eligible providers. We also obtained a detailed Suspension Listing from DORA, which contained provider medical licenses that were suspended during Fiscal Year 2020. We compared this Suspension Listing with provider information within Colorado interChange to determine whether the Department paid any providers with suspended licenses for claims during the fiscal year. We reviewed a sample of 45 provider applications for providers that were deemed eligible and received Medicaid and CBHP payments during Fiscal Year 2020 through Colorado interChange. We obtained and reviewed provider application information and relevant supporting documentation within Colorado interChange to determine whether these providers were accurately deemed eligible to receive Medicaid and CBHP payments and whether the required documents were maintained, in accordance with federal and state regulations. In addition, we conducted interviews with Department staff regarding its procedures over Medicaid and CBHP provider eligibility and enrollment. In March 2020, the Governor issued executive orders waiving Medicaid and CBHP provider licensing requirements for providers whose licenses expired during the COVID-19 PHE; as a result, our testwork was split into two periods of testing: (1) July 1, 2019, through February 29, 2020, and (2) March 1, 2020, through June 30, 2020. The process followed for provider eligibility and enrollment is the same for both Medicaid and CBHP providers, and our testing was used to determine compliance for both programs. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? We applied the following criteria during our testing: ? FEDERAL REGULATION [42 CFR 455.412] requires that the Department have a method for verifying that any provider purporting to be licensed in accordance with the laws of any state is licensed by such state and confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. This federal regulation requires the Department to verify that the providers meet required licensure standards initially, and it is best practice for the Department to verify that the providers meet these standards on an ongoing basis to ensure that there are no current limitations on the provider?s license. In May 2021, CMS provided clarification to the Department that ?not every condition on a provider?s license would be considered a limitation? and the PI Division within the Department needs to ?document in writing their determination to keep a provider enrolled when a license limitation does not restrict the provider?s ability to render services to Medicaid and CBHP beneficiaries to be in compliance with federal regulation.? ? STATE REGULATIONS [10 CCR 2505-10, 8.125.9 A AND B] require for current medical provider licenses, if a provider is required to possess a license or certification in order to provide services or supplies in the State, then that provider must be so licensed as a condition of enrollment as a Medicaid provider. As a condition of enrollment, any required licenses must be active without any current limitations. ? DEPARTMENT POLICY AND PROCEDURE. Provider Licensure Sanction Monitoring, Section III. A., states that in order for a provider to be eligible to render and bill for services, the provider must have an active license. ? FEDERAL CMS REQUIREMENTS [Sub Regulatory Guidance for State Medicaid Agencies (SMA): Revalidation (2016-001 (3))] state the Department must be able to produce documentation to support each of the provider screening and enrollment requirements under 42 CFR 455 Subpart E, including documentation of the most current license to ensure the provider remains eligible to provide services. ? CONTRACT REQUIREMENTS. According to the contract agreement with the fiscal agent, the fiscal agent is required to maintain detailed documentation to support each of the provider screening and enrollment requirements, including documentation of the provider?s most current license to ensure the provider remains eligible to provide services for Medicaid and CBHP. ? FEDERAL REGULATION [45 CFR 75.303(a)] requires that the Department, as a recipient of federal funds, must establish and maintain effective internal control over its federal awards that provides reasonable assurance that the Department is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with guidance in Green Book, Paragraph 16.01, which states that the Department ?should establish and operate monitoring activities to monitor [its] internal control system and evaluate the results.? Monitoring activities include reviewing reports, observing operations, and ensuring that activities are carried out in accordance with the federal grant agreement(s). WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We found that the Department did not fully comply with federal and state regulations for Medicaid and CBHP provider eligibility during Fiscal Year 2020. The specific issues we identified through our analyses of Medicaid and CBHP provider license data and case file reviews are outlined in more detail throughout this section. ELIGIBILITY ISSUES IDENTIFIED THROUGH DATA ANALYSES INELIGIBLE PROVIDERS?SUSPENDED LICENSES OR LICENSE WITH LIMITATIONS. Based on our comparison of the suspended provider license listing from DORA and provider information within Colorado interChange, we identified 13 ineligible providers who had their license suspended or had a license with limitations for part of Fiscal Year 2020, but continued to be shown as active, which means eligible, in Colorado interChange, as follows: ? 13 providers had their licenses suspended by DORA during Fiscal Year 2020; however, instead of terminating these providers in accordance with federal and state regulations, the Department marked these providers as active within Colorado interChange. For four of the 13 providers, the Department did not take any action to prevent them from billing for services during the year. For the remaining nine providers, the Department placed billing restrictions on the providers after DORA?s suspension date. Specifically, for six of these nine providers, the Department placed billing restrictions on the providers within 1 to 2 months and for the remaining three providers, placed the billing restrictions on the providers between 3 to 12 months after DORA?s suspension date. Based on additional testing, we determined that no payments were made to these providers after their licenses were suspended by DORA and therefore, we did not identify any questioned costs associated with these providers. ? One provider had its license listed as active with conditions on DORA?s website from April 10, 2020, through June 30, 2020, but the Department did not terminate the provider due to current limitations on the license; instead, the provider was marked as active in Colorado interChange and continued to bill claims and receive payments during the fiscal year. We determined that the provider?s current license limitations did not restrict the provider?s ability to render services. Therefore, the provider was eligible and no questioned costs were noted. However, the Department did not document their determination to keep this provider enrolled with current license limitations. In addition, we noted that this provider?s license expired in Colorado interChange as of October 2016, however, DORA?s website showed the provider with an active license, or license with limitations, during Fiscal Year 2020. The fiscal agent did not update license information as required by the contract. ELIGIBILITY CASE FILE ISSUES MISSING DOCUMENTATION AND LICENSE INFORMATION. For five of 45 providers (11 percent), the Department did not ensure that the fiscal agent maintained the support of the most current medical license information as of June 30, 2020, within Colorado interChange to demonstrate that the provider was eligible to provide services. After we brought the issue to the Department?s attention, the Department provided the documentation. Additionally, for two of these five providers, we found that the medical license information maintained by the fiscal agent in Colorado interChange differed from the license information contained in the DORA database. For example, in one case, the provider?s license showed an expiration date of September 30, 2019, in Colorado interChange, while the accurate license expiration date in DORA?s database was September 30, 2021. Without the most current license information, the fiscal agent cannot appropriately verify ongoing eligibility for the providers. WHY DID THESE PROBLEMS OCCUR? The Department did not have adequate internal controls in place over the provider eligibility process during Fiscal Year 2020 to ensure that it complied with federal and state regulations. ? INEFFECTIVE REVIEW OF PROVIDER LICENSES. The Department lacks an effective review process to ensure the license information in DORA?s database matches the license information in Colorado interChange in order to identify suspended providers, to document their determination to keep a provider enrolled with license limitations, and providers with expired licenses. In addition, the Department?s manual review did not ensure that suspended providers, providers with license limitations and providers with expired licenses were terminated and restricted in a timely manner. ? POLICIES AND PROCEDURES NOT UPDATED. The Department did not obtain CMS guidance until May 2021 to document their determinations to keep providers with license limitations enrolled when a license limitation did not restrict provider?s ability to render services. Therefore, the Department?s current policies and procedures are not updated to match CMS guidance. ? LACK OF EFFECTIVE TRAINING AND MONITORING. The Department was not effectively training and monitoring its fiscal agent to ensure that copies of active medical licenses are maintained within providers? files in Colorado interChange. Additionally, the fiscal agent did not properly update the provider?s license information in Colorado interChange to match the DORA database during Fiscal Year 2020. WHY DO THESE PROBLEMS MATTER? By not ensuring that appropriate internal controls, including policies and procedures, reviews, training, and monitoring, are in place over the Medicaid and CBHP provider eligibility process, the Department cannot ensure that all Medicaid and CBHP providers are eligible to participate in the programs. Additionally, without an effective review process to update provider licensure information within Colorado interChange, the Department cannot ensure that the enrolled providers are eligible to receive payments. Ensuring that providers contained in Colorado interChange are eligible to provide services is especially important to prevent any improper payments. Overall, the State could risk losing federal Medicaid and CBHP funding if it allows ineligible providers to bill and be paid for services provided for these programs. Furthermore, the State may lose federal Medicaid money if the Department does not recover any of the payments made to ineligible providers. State statute [Section 25.5-4-301(2), C.R.S.] indicates that any overpayments of claims to providers are recoverable. These overpayments ?shall be recoverable regardless of whether the overpayment is the result of an error by the state department, a county department of social services, an entity acting on behalf of either department, or by the provider or any agent of the provider.? See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-039 The Department of Health Care Policy and Financing (Department) should improve its internal controls over the Medicaid and Children?s Basic Health Plan provider eligibility determination to ensure that it complies with federal and state requirements by: A Improving the Department?s review process of provider licenses to ensure the license information in the Department of Regulatory Agencies (DORA) license database matches the license information in the Colorado interChange system and ensuring timely termination and imposing restrictions for the provider?s whose licenses are suspended or expired. B Updating the current policies and procedures to match Centers for Medicare and Medicaid Services guidance to ensure there is adequate documentation of the determinations for providers with license limitations. C Effectively training and monitoring its fiscal agent to ensure that copies of active licenses are maintained and provider license information in the Colorado interChange system matches the information in DORA?s license database. RESPONSE DEPARTMENT OF HEALTH CARE POLICY AND FINANCING A AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that the process for reviewing whether a license action requires termination or a restriction in the Colorado interChange, is documented and implemented in a timely manner to prevent payments to ineligible providers. As noted in OSA's finding, it is best practice for the Department to verify providers meet these standards on an ongoing basis between initial enrollment and revalidation to ensure there are no current limitations on the provider?s license, including those that have expired. The Department?s previous process was discontinued due to data matching issues between DORA and the Colorado interChange. However, letters continue to be sent to providers with upcoming expiring licenses prompting them to add current license information to their provider file. The Department plans to implement a system change that will make the data feed from DORA functional and install a front-end claims edit that will prevent claims from providers with an expired license from paying. B AGREE. IMPLEMENTATION DATE: JULY 2022. The Department will update its policies and procedures to ensure that all determinations made on whether a provider has a limitation on its license are properly documented. C AGREE. IMPLEMENTATION DATE: JULY 2022. The Department has an established process to train and monitor its fiscal agent. The Department will continue to monitor the Fiscal Agent through reports, meetings, and quarterly audit review processes. The Department and the Fiscal Agent will continue to collaborate to improve the process in which required documentation is collected and maintained.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-066 Research and Development Cluster Subrecipient Monitoring Compliance Requirement The federal government sponsors research and development (R&D) activities under a variety of types of awards, most commonly grants, cooperative agreements, and contracts, to achieve objectives agreed upon between the federal awarding agency and the non-federal entity. The types of R&D conducted under these awards vary greatly. The objective of an individual project is explained in the federal award letter. R&D activities at the University are subject to federal subrecipient monitoring requirements. Under these requirements, the University is required to monitor its subrecipients to ensure they use funds in accordance with applicable laws, regulations and terms of the award. A subrecipient is defined in federal regulations [2 CFR 200.1] as ?an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency.? Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the University, to an entity to carry out part of a Federal grant award received by the pass-through entity. As part of its subrecipient monitoring process, the University uses a subrecipient monitoring checklist that includes a variety of checkpoints, including whether an approved budget is in place and reviewed: whether the subrecipient had an audit, if applicable, and whether that audit has been reviewed; and whether a risk assessment related to a subrecipient?s potential noncompliance has been performed. During Fiscal Year 2022, the University?s three campuses in total expended approximately $916 million in R&D grant funds: $504 million, $406 million, and $6 million from the Boulder, Denver, and UCCS campuses, respectively. The University passed approximately $120 million to 1,325 subrecipients including other universities and non-profit organizations, to assist in the performance of a wide-range of projects such as research into learning disabilities or the advancement of scientific discovery, or other research related projects. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over, and complied with, the R&D?s subrecipient monitoring requirements for Fiscal Year 2022. As part of our audit work, we tested 40 subrecipients to determine whether the University campuses? performed the subrecipient risk assessments related to a subrecipient?s potential noncompliance as required by federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation 2 CFR 200.331(b) requires that the University?s campuses, as federal grant recipients, must ?evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.? ? The Boulder campus? policy states that monitoring the subaward is a ?collaborative effort? made in both Central Administration as well as in the departments through the Principal Investigator and their supporting Department Administrator.? Completion of a risk analysis and the subrecipient monitoring checklist is listed among the responsibilities of the Central Office. What problem did the audit work identify? The Boulder campus did not perform a risk assessment for six out of the 40 subrecipients we tested (15 percent). However, the campus did perform other monitoring procedures over these subrecipients as the risk assessment process is one procedure in the overall subrecipient monitoring process. Why did this problem occur? The University did not have adequate internal controls in place for monitoring its subrecipients. Specifically, the University?s Boulder campus did not ensure that staff reviewed the subrecipient monitoring checklist in all instances to ensure all appropriate steps were completed, including risk assessments. University personnel indicated that proper staffing was not in place and specific monitoring of risk assessments was not being performed. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in federal regulations and the respective award agreement. By failing to adhere to the requirements for subrecipient monitoring, the University risks performing inadequate or inappropriate monitoring procedures and thereby increases the risk of subawards being used for unauthorized purposes. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-066 The University of Colorado?s Boulder campus should strengthen its internal controls over, and ensure compliance with, federal subrecipient monitoring requirements for the Research and Development Cluster grant programs by enforcing required reviews of the subrecipient checklist for completeness to ensure all of the appropriate steps are completed, including risk assessments, and by ensuring that appropriate levels of staff are assigned responsibility for the reviews. Response University of Colorado Agree Implementation Date: November 2022 Management agrees with the recommendation. Due to hiring of new staff and an internal audit with similar findings, these actions were in process and implemented as of November 2022. These actions are part of the Sub Team?s standard operating processes and will continue. The proposed corrective action plan is as follows: ? The hiring of new team members in 2022; all team members trained on subcontracting processes and documentation requirements with an emphasis on following standard baseline procedures. ? New Subcontract Administrator (SCA) position tasked with compiling final packets for each sub, which includes a quality check to ensure all documents and signatures required are included. ? Use of subcontract checklist and risk assessments required and consistently done by the team.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Finding 2022-060 Internal Controls and Compliance Over Student Financial Aid Cluster?Compliance Enrollment Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Aid funds to report enrollment information within specified timeframes to the USDE through its central database for student aid, the National Student Loan Data System (NSLDS). Enrollment reporting, including submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Colorado School of Mines submits student roster files to NSLDS via a third-party servicer, the National Student Clearinghouse (Clearinghouse), which is then uploaded by the Clearinghouse directly to NSLDS. The School?s Registrars? Office compiles the roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Title IV aid at the School. The School performs an initial review of participating students? enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each month, Registrar?s Office staff prepare student roster files of enrollment status through a manual comparison of applicable students? enrollment status at the census date to the current enrollment status per the School?s reporting system. During Fiscal Year 2022, the Colorado School of Mines issued approximately $38.5 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $3.4 million and $35.1 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the School had adequate internal controls over and complied with enrollment reporting requirements regarding student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2022. Another purpose of our audit work was to determine the School?s progress in implementing our Fiscal Year 2021 audit recommendation related to Student Financial Aid enrollment reporting requirements. At that time, we recommended that the School implement a review process that ensures the date of the student enrollment change included in NSLDS student roster files agrees to the School?s records. As part of our Fiscal Year 2022 testwork, we reviewed a random sample of 40 students whose attendance information was required to be reported to NSLDS during Fiscal Year 2022. For each student in our sample, we compared information within the School?s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal from the institution or a change in enrolled credit hours, to determine if the information was reported accurately and within federal timeliness requirements. How were the results of the audit work measured? Under the federal Pell Grant and Direct Loan program requirements [34 CFR 690.83(b)(2) and 685.309], an institution must report any enrollment status changes, including the date of the change, per the institution?s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student?s enrollment status to NSLDS when there is a (a) reduction or increase in the student?s attendance levels, (b) graduation, (c) withdrawal, and/or (d) student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against a 60-day timeframe of submitted roster files. What problem did the audit work identify? We found that the School had not reported status changes to NSLDS for 2 the 40 (5 percent) students we tested. Specifically, the status changes should have been submitted on March 7, 2022 and April 12, 2022, respectively, but had not been submitted by June 30, 2022, the end of Fiscal Year 2022. As of the end of the audit testing in August 2022, the School had submitted these status changes. Why did this problem occur? The School did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Aid program. Specifically, we found that the School did not implement the prior year recommendation and that it did not have a review process that ensures all students with an enrollment status change noted in the School?s reporting system are submitted to NSLDS within the 60-day requirement. For one case, Student Financial Aid Office staff indicated that they missed the student in their review process due to turnover, and in the other case, there was a mix up with the student?s social security number that resulted in the status change not being reported. Why does this problem matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the School fails to meet the required reporting timelines, the borrower?s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-060 The Colorado School of Mines should strengthen its internal controls over reporting Student Financial Aid Pell Grants and Direct Loan Program student enrollment to the National Student Loan Data System (NSLDS) by implementing a review process over all student enrollment changes in the School?s reporting system to ensure the changes are submitted to NSLDS within 60-days of the enrollment change, as required by federal regulations. Response Colorado School of Mines Agree Implementation Date: October 31, 2022 Mines was delayed in processing NSLDS files due to staffing changes and employee leave. Mines has constructed a process to ensure timely future reporting along with an agreed upon trained back-up for the primary person if they are out for an extended time. Additionally, we have changed how often we report enrollment files to the Clearinghouse (NSC). We are now reporting every two weeks. The error reports generated after the files are submitted are reviewed as soon as they?re posted, a copy downloaded from NSC and reviewed for corrections which are then completed as soon as possible. Mines is working on an updating the documentation for the full process, including all of the cleanup reports that are run in COGNOS and the Banner jobs before the enrollment file is even processed.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-064 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide emergency financial assistance to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the University under the Higher Education Emergency Relief Fund (HEERF I) Program. The federal Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the federal American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Each of the University?s campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (DOE) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements of the HEERF program there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The DOE specified that the Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The University?s campuses are required to submit the annual report directly to the DOE. During Fiscal Year 2022, each University campus was required to complete and post 8 reports (four Student Aid and four Institutional) to their website. During Fiscal Year 2022, the University?s three campuses in total expended approximately $60 million in HEERF grant funds: $27 million was expended by the Boulder campus, $10.5 million was expended by the Colorado Springs campus, and $22.5 million was expended by the Denver campus. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University?s campuses had adequate internal controls in place over and complied with the HEERF grant reporting requirements for Fiscal Year 2022. As part of our audit work, we tested the University?s campuses? internal controls over the HEERF grant reporting requirements. In addition, we tested 11 of the 12 student reports and 3 of the 12 institutional reports posted by the University during Fiscal Year 2022 to determine whether the University campuses posted the required information on each campus? website accurately, and by the federal due dates. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? The DOE issued a notice on May 13, 2021, requiring institutions to publicly post their required HEERF reports on the institution?s website as soon as possible, but no later than 30 days after the publication of the notice, or 30 days after the date the DOE first obligated funds under HEERF I, II, or III to the institution for emergency financial assistance to students; whichever comes later. The institution is required to post the report no later than 10 days after the end of each calendar quarter, after the initial posting. ? Federal regulation [2 CFR 200.303] states that the System?s campuses, as federal grant recipients, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? What problem did the audit work identify? We identified 2 out of the 14 reports tested (14.3 percent) that did not meet the HEERF grant report posting requirements. Specifically, the University of Colorado, Colorado Springs Campus, did not post the required information for the HEERF Student Aid Portion on its website for two of four quarters of Fiscal Year 2022 timely. First, the University posted the quarter-ending September 30, 2021 report to its website on December 23, 2021, or 74 days after the deadline of October 10. Second, the University did not post the quarter-ending March 31, 2022 report, which was due April 10, 2022, until October 2022, after we notified them of the error; this was approximately 6 months late. We did not identify any issues with the accuracy of the reports, and we found that the other two campuses in the University of Colorado System posted the required information on their respective websites as required by federal regulations. Why did this problem occur? The University?s Colorado Springs campus did not have adequate internal controls in place to ensure it complied with the HEERF grant reporting requirements. Specifically, the Colorado Springs Campus did not have appropriate policies and procedures in place for identifying and researching changes in HEERF reporting requirements. The federal government updated and provided a new form for HEERF reporting in September 2021 that included a section for institutional information but inadvertently excluded student information from the form. Because the form no longer required the student information, the Colorado Springs campus staff inaccurately assumed that the student information was no longer required to be reported. Why does this problem matter? The University is obligated to adhere to specified requirements as outlined in the DOE Certification and Agreement that is signed and agreed to by the University. By failing to report required information in accordance with federal regulations, the University failed to comply with the requirements of the HEERF program and potentially risks repercussions from the DOE as specified in the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-064 The University of Colorado?s Colorado Springs campus should strengthen its internal controls over and ensure that it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by establishing policies and procedures for identifying and researching changes in HEERF reporting requirements and posting reports to the campus website as required by federal regulations. Response University of Colorado Agree Implementation Date: Implemented Management agrees. After the notification of the missing HEERF report in December 2021, the UCCS Controller proposed a ?cross-check? process to ensure all future reporting is in compliance and reported in a timely manner. This process is used for both the quarterly and annual reporting process. In the quarterly reporting process, the UCCS Controller completes the institutional report and emails the report to the UCCS Financial Aid office Senior Executive Director for verification of the amounts and the data submitted. The Senior Executive Director then enters the student aid portion?s information and provides this to the UCCS Controller for verification of the data. Once verified, the report is uploaded to the UCCS website and a confirmation email is sent to the UCCS Controller as well as the heerfreporting@ed.gov for verification of completion of the website posting. This process has been duplicated with the annual reporting process. Before the annual report is submitted a review will be done to verify the report figures match the CU financials for the calendar year.
Finding 2022-063 Higher Education Emergency Relief Fund Reporting Compliance Finding The CARES Act was signed into law on March 27, 2020, and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the (HEERF Program. CRRSAA was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal COVID-19 ? Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: the Student Aid Portion [ALN 84.425E] and the Institutional Portion [ALN 84.425F]. Since April 2020, the University has been awarded a total of $86.3 million in HEERF funding. From inception through June 30, 2022, the University spent $35.4 million for the HEERF program Student Aid Portion and $48.9 million for the HEERF program Institutional Portion. The University reports that it will spend the remaining amount of funding during Fiscal Year 2023. The University signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate the University?s acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The ED specified that Student Aid Portion and Institutional Portion reports needed to be posted to an institution?s website at specified times. The annual report is to be submitted directly to the federal ED. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the University had adequate internal controls in place over and complied with HEERF Institutional and Student Aid Portion grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the University?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 5 of the 8 HEERF reports submitted by the University during Fiscal Year 2022 to determine whether the reports were posted on the University?s primary website or submitted directly to the ED by the federal due dates and complied with federal regulations. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? For the Student Aid Portion, beginning on May 6, 2020, the ED required institutions to publicly post certain information on their website, including the number of awards distributed to students, the total amount awarded, and the methodologies used by the institution to determine which students receive awards, no later than 30 days after the award date, and to update that information every 45 days thereafter (by posting a new report). ? On August 31, 2020, the ED revised the reporting requirement by decreasing the frequency of reporting after the initial 30-day period from every 45 days thereafter to every calendar quarter. This revision from every 45 days to a calendar quarter was effective for the first calendar quarter report due by October 10, 2020, and covering the period from after the institution?s last report through the end of the calendar quarter on September 30, 2020. ? For the Institutional Portion, a federal form filled out by the institution must be posted on the institution?s website covering aggregate expenditure amounts for each calendar quarter (September 30, December 31, March 31, and June 30) and concluding after an institution has spent the institutional portion of their HEERF Funds. The institution must post their first report by October 30, 2020, the first quarter of 2021 report by July 20, 2021, and post all other reports no later than 10 days after the end of each calendar quarter (October 10, January 10, April 10, and July 10). ? Section 18004(e) of the CARES Act and Section 314(e) of the CRRSAA require an institution receiving funds under HEERF to submit a report to the Secretary of the ED at ?such time in such a manner as the Secretary may require?. ? Federal regulation [2 CFR 200.334] states that ?financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.? The instructions for the Quarterly HEERF Reporting Form notes, ?any changes or updates after the initial posting must be conspicuously noted after initial posting and the date of the change must be noted in the `Date of Report? line.? ? Federal regulation [2 CFR 200.303] states that the University, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The University signed a HEERF Certification and Agreement to accept the funding and acknowledge its responsibilities under the grant; therefore, the University was responsible under the Agreement to ensure that it complied with HEERF reporting and other requirements. What problems did the audit work identify? We determined that 2 out of 5 reports tested (40 percent) did not meet the HEERF grant report posting requirements. Specifically: ? The University did not post the HEERF CRRSAA Student quarterly report for the quarter ending September 30, 2021 on the University?s primary website, as required. ? The University published the HEERF ARP Student quarterly report for the quarter ending March 31, 2022 on May 26, 2022?46 days past the due date of April 10, 2022. No issues were noted on the accuracy of the financial information on this report. Why did these problems occur? The University did not implement adequate internal controls to ensure it complied with the HEERF grant reporting requirements. Specifically, the University did not have appropriate policies and procedures in place to ensure that staff submit the required reports within federally required timeframes. Why do these problems matter? Federal oversight agencies, including ED, depend on accurate reports to measure program results and states? compliance with federal requirements. By failing to report the HEERF spending information in accordance with federal regulations, the University failed to comply with the requirements of the Certification and Agreement. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-063 Metropolitan State University of Denver (University) should strengthen its internal controls over reporting and ensure it complies with the Higher Education Emergency Relief Fund (HEERF) reporting requirements by developing and documenting policies and procedures for identifying and researching the specific reporting requirements and ensuring that staff post to the University?s website the required reports within federally required timeframes. In addition, the University should ensure that all the HEERF reports that are currently required to be posted are on the website. Response Metropolitan State University Agree Implementation Date: December 2022 In December 2022, the Office of Financial Aid strengthened its internal control over the reporting requirements for the Higher Education Emergency Relief Fund (HEERF), by adding the report due dates to the internal operational calendar. Additional level reviews were also added to the submission process before the required reports will be sent to the Department of Education and posted on the financial aid website.
Finding 2022-062 Higher Education Emergency Relief Fund Student Aid Finding The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to higher education institutions, including the University, under the HEERF program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA) was signed into law on December 27, 2020 and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. Since March 11, 2021, the University has been awarded $45.6 million in HEERF grant funds through the American Rescue Plan (ARP), otherwise known as HEERF III. Of this award, the University was provided both 1) Student Aid monies, along with 2) Institutional Aid monies. Student Aid monies must be used to provide financial aid grants to students (including students exclusively enrolled in distance education), which may be used for ?any component of the student?s cost of attendance or for emergency costs that arise due to coronavirus, such as tuition, food, housing, healthcare (including mental health care), or childcare. Institutional Aid monies may be used to defray expenses associated with coronavirus (including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll) and to make additional financial grants to students. During Fiscal Year 2022, the University spent $21.0 million for the Student Aid portion and $20.2 million for the Institutional portion of HEERF III funds. For the Student Aid portion of the HEERF III funding, the University divided the funding into different groups. The University developed a written plan (that applied during Fiscal Year 2022) for each group and a control process for awarding the monies to students. One of the groups of funding was to be awarded to students with unpaid balances in their tuition or auxiliary accounts with past due balances incurred during the 2020-2021 or 2021-2022 academic years. A team of University employees (CARES Team) was tasked with identifying those students, then contacting those students and asking if they would like the University to apply the student?s HEERF award to pay down the student?s account balance or pay it to the student directly. Once the student informed the University of their election, then the University awarded and disbursed the funds. What was the purpose of our audit work and what was performed? The purpose of the audit work was to determine whether the University was in compliance with the HEERF program regulations for awarding and paying the Student Aid portion of the HEERF funding, and whether proper controls were in place over the program during Fiscal Year 2022. Our testing included conducting interviews with management and selecting a sample of 60 disbursements made to students during Fiscal Year 2022 to test controls and compliance. We performed testing on the 60 disbursements to determine whether awards and disbursements were made in accordance with the University?s documented plan. How were the results of the audit work measured? In accordance with HEERF III requirements, the University must prioritize student aid distributions to students with exceptional needs. In addition, the University must have a documented plan to distribute funds to students. Federal regulations [2 CFR 200.303] require any non-federal grant award recipient to establish and maintain effective internal control over the federal award that provides reasonable assurance that the grant award recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. Lastly, student aid application best practices discourage employees from awarding aid to family members. What problem did the audit work identify? Based on interviews with University management, the University identified that a University employee inappropriately provided $700 in HEERF Student Aid funding to the employee?s family member who was a student at the University but was not eligible to receive the funds. Specifically, the CARES Team selected students to receive these funds that met the following criteria: 1) Student was enrolled in the Fall of 2021 or Spring 2022, 2) student had past due balances incurred during the 2020-2021 or 2021-2022 academic years, 3) the student was in good academic standing, and 4) they were participating in a payment plan or in the College Completion Advising program. The student was not selected by the CARES Team as eligible to receive these funds. During our testing of additional 60 student disbursement transactions we found no other exceptions. Why did this problem occur? The University has not established proper segregation of duties to prevent University employees from awarding federal funding to a member of their family. Specifically, the employee had access rights within the University?s financial aid system that granted the employee the ability to both award and disburse federal funds without another employee reviewing or approving. In addition, the University did not have a written policy, as recommended by industry best practices, that prohibits employees from applying aid to family members? accounts. Why does this problem matter? Federal funds that are misapplied or used for unallowable purposes could be subject to repayment from the University to the federal granting agency. Without ensuring adequate segregation of duties within the University?s financial aid system for awarding and disbursing federal funds, the University increases the risk that fraud could occur. In the instance identified, the University recovered the funding from the student. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-062 Metropolitan State University of Denver (University) should improve its internal controls over federal Higher Education Emergency Relief Funds by instituting appropriate segregation of duties over the awarding of federal funds to students. This should include requiring that no one employee can both award then disburse aid to students and developing and implementing a formal written policy that prohibits University employees from awarding financial aid to their family members. Response Metropolitan State University Agree Implementation Date: June 2023 In January 2023, the Executive Director of Financial Aid and Scholarships implemented a code of conduct that addresses and prohibits University personnel from awarding financial aid to their family members or other persons considered conflicts of interest. The Office of Financial Aid and Scholarships will draft policy by June 30, 2023, to address the segregation of duties that prohibits awarding and disbursing federal, state, or institutional funding to students by one employee.
Finding 2022-059 Higher Education Emergency Relief Fund (HEERF) Reporting Compliance The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF I) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund (Assistance Listing No. 84.425). The HEERF program contains two portions: the Student Aid portion (Assistance Listing No. 84.425E) and the Institutional portion, which is made up of the following: HEERF Institutional Aid Portion (Assistance Listing No. 84.425F), HEERF Minority Serving Institutions (Assistance Listing No. 84.425L), HEERF Strengthening Institutions Program (Assistance Listing No. 84.425M), Institutional Resilience and Expanded Postsecondary Opportunity (Assistance Listing No. 84.425P), and HEERF Supplemental Assistance to Institutions of Higher Education program (Assistance Listing No. 84.425S). Amounts provided to students through HEERF are considered to be ?Emergency Financial Aid Grants to Students? under the Program. Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent approximately $97.8 million for the HEERF program Student Aid portion which is used to award Emergency Financial Aid Grants to students and $113.9 million for the HEERF Institutional Portion, which is used to support the colleges. $117.3 of this amount was expended by the System during Fiscal Year 2022. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the ED to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the HEERF program requirements, there are three components to reporting: (1) public reporting on the Student Aid Portion; (2) public reporting on the Institutional Portion, and (3) the annual report, which includes summarized information on the Student Aid and Institutional Portions for the reporting period. The annual report is to be submitted directly to the ED. The ED has specified certain criteria that must be included in each report. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System had adequate internal controls in place over, and complied with, the HEERF Institutional and Student Aid grant reporting requirements for Fiscal Year 2022. As part of our audit work, we reviewed the System?s internal controls over the HEERF grant reporting requirements. In addition, we tested a sample of 25 of the 117 HEERF reports submitted by the System?s campuses during Fiscal Year 2022 to determine whether the reports were posted on each campus? primary website (quarterly reports) or submitted to ED (annual reports) by the federal due dates. Furthermore, for the Student Aid Quarterly Report we requested from each Campus the underlying support for the reports, which consisted of student data detailing how much aid was awarded and the methods the campuses used to determine which students would receive Emergency Financial Aid Grants. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? On May 13, 2021, the ED published in the Federal Register a notice for student aid public reporting under CRRSAA and ARP, which requires that institutions publicly post certain information on their website. The following information must appear in a format and location that is easily accessible to the public: o An acknowledgement that the institution signed and returned to the ED the Certification and Agreement and the assurance that the institution has used the applicable amount of funds designated under the CRRSAA and ARP programs to provide Emergency Financial Aid Grants to Students. o The total amount of funds that the institution will receive or has received from the ED pursuant to the institution's Certification and Agreement for Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total amount of Emergency Financial Aid Grants distributed to students under the CRRSAA and ARP programs as of the date of submission (i.e., as of the initial report and every calendar quarter thereafter). o The estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under the CRRSAA and ARP programs. o The total number of students who have received an Emergency Financial Aid Grant to students under the CRRSAA and ARP programs. o The method(s) used by the institution to determine which students receive Emergency Financial Aid Grants and how much they would receive under the CRRSAA and ARP programs. o Any instructions, directions, or guidance provided by the institution to students concerning the Emergency Financial Aid Grants. ? Federal Uniform Guidance [2 CFR 200.303] requires that recipients of federal awards have internal controls in place to ensure that federal reports are accurate and report complete information. Appropriate supporting documentation is evidence of such internal controls. What problems did the audit work identify? We identified issues with 5 of the 25 Fiscal Year 2022 reports we tested (20 percent). Specifically, Front Range Community College (FRCC), Pueblo Community College (PCC), and Lamar Community College (LCC) could not provide appropriate supporting documentation for one or more of the following data elements in five of the Student Aid Quarterly Reports: student data detailing (a) the total amount of Emergency Financial Aid Grants distributed to students, (b) the total number of students eligible to receive Emergency Financial Aid Grants and/or (c) the total number of students at the institution who have received an Emergency Financial Aid Grant. The specific issues we found the following: ? FRCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended September 30, 2021 as 20,684; based on our review, we determined the supported number was 20,782. ? FRCC reported the total number of students at the institution who have received an Emergency Financial Aid Grant for the quarter ended June 30, 2022 as 20,385 (student portion) and 3,207 (institutional portion); based on our review, we determined the supported numbers were 20,401 and 3,222, respectively. ? LCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarter ended June 30, 2022 as 1,007; based on our review, we determined the supported number was 1,034. In addition, the amount disbursed directly to student emergency financial aid grants to date was reported as 961 and total for all HEERF funds was 1,124; based on our review, we determined the supported numbers were 988 and 1,151, respectively. ? PCC reported the total number of students eligible to receive Emergency Financial Aid Grants for the quarters ending September 30, 2021 and December 31, 2021 as 3,191; based on our review, we determined this amount could not be supported and PCC did not provide a revised count. Why did these problems occur? FRCC, PCC, and LCC campuses did not have procedures in place to ensure that supporting documentation was maintained for its Student Aid Quarterly Reporting. Employee turnover in the FRCC Controller position and FRCC, PCC, and LCC Student Financial Aid Director positions further contributed to FRCC, PCC, and LCC?s inability to locate or recreate the supporting documentation. Why do these problems matter? It is important for FRCC, PCC, and LCC to ensure that they obtain and maintain appropriate documentation to support amounts reported to federal awarding agencies, especially when they are the basis for determining FRCC, PCC, and LCC?s compliance with specific federal program requirements. This issue could lead to inaccurate federal reporting and potential noncompliance, which could result in the federal government requiring FRCC, PCC, and LCC to return funds or a negative impact to the System?s future federal program funding. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-059 Front Range Community College, Lamar Community College, and Pueblo Community College campuses should strengthen their internal controls over federal reporting and ensure they comply with the Higher Education Emergency Relief Fund reporting requirements by reviewing reports for accuracy and developing procedures for ensuring the required maintenance of all related supporting documentation. Response Front Range Community College Agree Implementation Date: September 2022 Moving forward the Director of Financial Aid will engage the Restricted Funds Accountants in a quality assurance review of both dollars spent, type of fund, and student counts before it is submitted for final review and publishing by the Director of Resource Development and Senior Grant Administrator. The most recently submitted information for the quarterly report of September 30, 2022 will be sent to the Restricted Funds Accountants to validate that FRCC has been and will continue to be in compliance for quarterly HEERF reporting. Response Lamar Community College Agree Implementation Date: July 2022 The Financial Aid Director and the Controller will compile their reporting support on the shared drive they utilize for other routine purposes as well, to ensure clear documentation of the numbers reported. The original report containing errors was corrected, validated, and reposted. All past year?s reporting data was made available on the shared drive as of July 2022. Response Pueblo Community College Agree Implementation Date: October 2022 Each quarter Financial aid will obtain and compare Cognos and Banner disbursement reports for accuracy. Once the unduplicated student count is determined it will be sent to the Vice President of Student Success to validate and approve going forward. Financial aid will ensure staff maintain supporting documentation for any institutional expenditures information that was obtained from the fiscal office. Disbursement and expenditure data will be compiled for the Department of Education?s Quarterly Report by the submission deadline and will be submitted as PDF to webmaster for posting on PCC?s website and a copy emailed to a contact at the Department of Education and will archive the submission for future reference.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-056 Community College of Aurora should strengthen their internal controls over suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements by: A. Ensuring staff maintain supporting documentation of suspension and debarment checks. B. Providing training and cross-training to existing employees over suspension and debarment requirements. Response Community College of Aurora A. Agree Implementation Date: October 2022 Beginning in October 2022, the duty was moved from the Principal Investigator or instructional staff previously responsible for this step to the Director of Purchasing to ensure compliance for all grant transactions. B. Agree Implementation Date: October 2022 Training will be provided for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase, to fiscal and grant staff
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-057 Otero College should strengthen their internal controls over procurement and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures. B. Ensuring staff maintain supporting documentation for procurements. C. Providing training and cross-training to existing employees over procurement requirements. Response Otero College A. Agree Implementation Date: August 2022 Otero College has adopted the system offices Sole Source justification form that will be posted to the State procurement site, requires supervisory approval, and has put that into place as of August 2022. B. Agree Implementation Date: August 2022 Otero College will ensure they maintain supporting documentation for procurements. C. Agree Implementation Date: August 2022 Otero College has a new procurement official that has attended various trainings regarding procurement rules.
Findings 2022-056, 2022-057, and 2022-058 Higher Education Emergency Relief Fund (HEERF) Procurement Compliance The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law on March 27, 2020 and appropriated federal funds to provide economic aid to the American people negatively impacted by the COVID-19 pandemic. As part of the CARES Act, funds were given to the System under the Higher Education Emergency Relief Fund (HEERF) Program. The Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSAA), was signed into law on December 27, 2020, and authorized additional funding under the HEERF program (HEERF II). Finally, the American Rescue Plan Act of 2021 (ARP), enacted on March 11, 2021, authorized a third round of funding (HEERF III) in order for higher education institutions to serve students and ensure learning continues during the COVID-19 pandemic. The HEERF Program is one of the subprograms of the federal Education Stabilization Fund [ALN 84.425]. The HEERF program contains two portions: The Student Aid portion [ALN 84.425E] and the Institutional portion, which is made up of the following: ? HEERF Institutional Aid Portion (ALN 84.425F); ? HEERF Minority Serving Institutions (ALN 84.425L); ? HEERF Strengthening Institutions Program (ALN 84.425M); ? Institutional Resilience and Expanded Postsecondary Opportunity (ALN 84.425P); ? HEERF Supplemental Assistance to Institutions of Higher Education program (ALN 84.425S). Since April 2020, the System has been awarded a total of approximately $255.6 million in HEERF funding. From inception through June 30, 2022, the System spent a total of approximately $97.8 million for the HEERF program Student Aid portion and $113.9 million for the HEERF Institutional Portion. During Fiscal Year 2022, the System spent $71.9 million for the Student Aid portion and $45.1 million for the Institutional Portion; of this amount, $28.7 million represented the System?s procurement for goods and services. The System reports that it will spend the remaining amount of funding during Fiscal Year 2023 and beyond. Each of the System?s 13 campuses separately signed an agreement titled the ?Certification and Agreement? with the U.S. Department of Education (ED) to indicate each campus? acceptance of the HEERF funding and the applicable terms and requirements. Under the requirements, each campus is required to follow the State?s procurement policies and procedures. Federal procurement regulations also require that each campus include any clauses required by federal regulations in every HEERF-related purchase order or other contract. In addition, non-federal entities, including the System and its campuses, are prohibited from contracting with or making subawards under ?covered transactions? to parties that are suspended or debarred from doing business with the federal government. ?Covered transactions? include those procurement contracts for goods and services awarded under a grant or cooperative agreement. In order to comply with federal suspension and debarment requirements, the campuses can perform a search in the federal System of Award Management (SAM) website, which tracks the entities that the federal government has determined are ineligible to receive federal funding; collect a certification from the entity; or add a clause or condition to the contract. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the System?s campuses had effective internal controls in place over, and complied with, federal procurement and suspension and debarment requirements for the HEERF grant during Fiscal Year 2022. As part of our audit work, we reviewed the campuses? internal controls over the HEERF grant procurement requirements. In addition, we tested a sample of 60 of the campuses? HEERF-related 435 procurement transactions, totaling $18.8 million, to determine if the campuses were in compliance with federal procurement requirements, and whether the campuses? contractors were suspended, debarred, or otherwise excluded from participating in the contract by the federal government, through verification on the SAM website exclusions listing. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: ? Federal regulation [2 CFR 180.220] states that a contract for goods or services is a covered transaction if awarded as a grant or payment for specified use and if the amount of the contract is expected to equal or exceed $25,000. Also, federal regulation [2 CFR 180.300] requires that when a non-federal entity enters into a covered transaction with another entity, the non-federal entity must verify that the person or entity they intend to do business with is not excluded or disqualified from receiving federal funds. This can be done by: (1) checking the SAM exclusions, (2) collecting a certification from that entity, or (3) adding a clause or condition to the covered transaction with that entity. ? Federal regulation [2 CFR 200.303] states that the System and its campuses, as recipients of federal funds, must establish and maintain effective internal control over their federal awards that provides reasonable assurance that the System?s campuses are managing the federal awards in compliance with federal statutes, regulations, and the award terms and conditions. ? Federal regulation [2 CFR 200.318] states that the System must document procurement procedures. The System and its campuses utilize Colorado Revised Statute Section 24, Government -State, Procurement Code; Articles 101- 112, as their procurement policy. Relevant sections of the policy include: o R-24-103-201-01 Purchasing Thresholds - (b) Small purchases are goods and services purchases costing less than $150,000. Goods and services between $25,000 and $150,000 may be purchased using a documented quote process, described in rule R-24-103-204-01. o R-24-103-201-01 Purchasing Thresholds - (c) Invitation for bids, described in rule R-24-103-202-01, request for proposals, described in rule R-24-103-203, and invitations to negotiate, described in rule R-24-103-208-03, may be used for goods or services estimated to exceed the small purchase threshold of $150,000. o R-24-103-205 Sole Source Procurements -Contracts may be awarded by use of a sole source procurement only if the following conditions are met: (a) A sole source procurement is justified when there is only one good or service that can reasonably meet the need and there is only one vendor who can provide the good or service. A requirement for a particular proprietary item (i.e., a brand name specification) does not justify a sole source procurement if there is more than one potential bidder or offeror for that item; (b) The procurement official or his or her designee shall make a written determination that a procurement is sole source, setting forth the reasons. In cases of reasonable doubt, competition should be solicited. Any request by a using agency that a procurement be restricted to one potential contractor shall be accompanied by an explanation as to why no other contractors will be suitable or acceptable to meet the need. What problems did the audit work identify? We identified at least one issue with 34 of the 60 transactions tested (57 percent), which resulted in a total of $3,254,216 in known federal questioned costs. In total, we identified 43 errors within the 34 transactions tested. Specifically, we identified the following: ? Community College of Aurora (CCA) and Pueblo Community College (PCC) could not provide documentation to support that suspension and debarment verification procedures were performed for nine transactions we reviewed for CCA and for 21 transactions we reviewed for PCC. We confirmed through additional audit work that none of the vendors were suspended or debarred; as a result, we determined that these errors did not result in questioned costs. ? Otero College (OC) did not complete the required Sole Source justification for four transactions. These errors resulted in $1,535,455 of questioned costs. ? PCC did not perform a request for proposals for two transactions which exceeded $150,000 and did not obtain documented quotes for seven transactions which were between $25,000 and $150,000, as required. These errors resulted in questioned costs of $1,718,761. Why did these problems occur? OC and PCC did not have adequate internal controls in place to ensure they complied with HEERF procurement requirements. In addition, CCA and PCC did not have adequate internal controls in place to ensure they complied with HEERF suspension and debarment requirements. Specifically, at OC and PCC, the secondary reviewer did not require staff follow procedures in place for procurement. At PCC the secondary reviewer also did not ensure that staff searched the federal System of Award Management to verify that entities it contracted with were not suspended, debarred, or otherwise excluded from participating in a contract for federal funds. In addition, they did not provide training over grant processes related to state procurement rules, such as training on requirements for staff to maintain appropriate supporting documentation for procurement-related verifications and procurement decisions. Further, CCA and OC experienced staff turnover in key positions, and existing employees could not locate the supporting documentation. Why do these problems matter? It is important for CCA, OC, and PCC to ensure that they obtain and maintain appropriate documentation to support procurement decisions, especially when they are the basis for determining CCA, OC, and PCC?s compliance with specific HEERF program requirements. In addition, CCA and PCC?s failure to perform procedures to ensure an entity is not suspended or debarred could result in the System paying funds to an entity that is disallowed from receiving such funds, thereby exposing the State to increased business risk and potential federal disallowances. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-058 Pueblo Community College should strengthen their internal controls over procurement, suspension and debarment and ensure they comply with the Higher Education Emergency Relief Fund (HEERF) requirements and State procurement policies by: A. Ensuring the secondary reviewer enforces compliance with the Colorado Community College System?s (System) procurement procedures and that staff perform procedures to verify contracted entities are not excluded or disqualified from receiving federal funds. B. Ensuring staff maintain supporting documentation for procurements and suspension and debarment checks. C. Providing training and cross-training to existing employees over procurement, suspension and debarment requirements. Response Pueblo Community College A. Agree Implementation Date: September 2022 Going forward, the Director of Purchasing will perform all Sam.Gov searches. The secondary reviews to ensure compliance for the System's procurement and suspension and debarment procedures will be conducted by the Vice President of Administration and Finance. B. Agree Implementation Date: September 2022 The corresponding documents supporting procurement transactions and suspension and debarment checks will be scanned and filed along with the Purchase order. C. Agree Implementation Date: September 2022 Training will be provided to fiscal and grant staff for identifying when suspension and debarment must be checked for vendors of federal programs, processes and websites to access, and methodology for documenting with the purchase documentation.
Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.
Finding 2022-077 Cash Management The Department operates on a reimbursement basis with the federal government for a portion of its federal grant programs, expending state dollars for the federal programs prior to requesting reimbursement for the appropriate federal share. The reimbursement process is governed by the Cash Management Improvement Act of 1990 (CMIA) and 31 CFR Part 205 Part B, Rules and Procedures for Efficient Federal-State Funds Transfers (Transfer Rules), which prescribe specific methods and timeframes for drawing down federal funds. The purpose of CMIA and the Transfer Rules is to minimize the time period from when the State makes an expenditure for a federal program and when the federal reimbursement is received, so that neither the State nor the federal government incurs a loss of interest on the funds. This timeframe for requesting reimbursement is referred to as the ?draw pattern.? Under CMIA, the State must enter into a formal agreement, referred to as the ?Treasury-State Agreement,? (Agreement) with the U.S. Department of the Treasury to establish reimbursement schedules for selected federal programs that have been awarded to the State. In Colorado, the Department of Treasury (Treasury), on behalf of all departments in the State, enters into the Agreement with the U.S. Department of the Treasury. For Fiscal Year 2022, Colorado?s CMIA Agreement included 10 programs administered by various state agencies. The Department has one federal program that is included in the Agreement. Specifically, the Department?s Highway Planning and Construction [ALN 20.205] is included in this Agreement. During Fiscal Year 2022, the Department expended $510.0 million in Highway Planning and Construction funds. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over its cash draw process and to determine whether the Department was in compliance with CMIA for the Highway Planning and Construction program during Fiscal Year 2022. As part of our audit, we tested the Department?s internal controls and compliance over its cash management process for the Highway Planning and Construction program. We tested a sample of 25 expenditures and the related draws the Department made for the program during Fiscal Year 2022 and calculated the number of days between each sampled expenditure and related federal draw and compared our results to the CMIA requirements in place at the time the draw occurred. Within our sample, draws for nine of the expenditures were performed prior to October 13, when the 4-day draw pattern was in place; draws for 16 expenditures were performed after October 13 on the 5-day pattern. How were the results of the audit work measured? Under CMIA rules, draw patterns should be interest-neutral between the State?s expenditure and receipt of federal funds. We compared the results of our testwork against the regulations within the CMIA for payments clearing the State?s bank that should result in the receipt of the federal reimbursements within specific timeframe as noted below: The Agreement in place at the beginning of Fiscal Year 2022 specified a 4-day draw pattern for Highway Planning and Construction. Therefore, the time between when the Department?s expenditure was made and when federal funds were received should have been 4 days. In October 2021, however, the Department requested the draw pattern be changed from 4 days to 5 days. This request was approved by the U.S. Department of the Treasury on October 13, 2021. What problem did the audit work identify? We determined that the Department did not comply with the approved cash management draw patterns contained in the Agreements for the Highway Planning and Construction program for Fiscal Year 2022. Overall, 8 of the 25 draws (32 percent) were not made in accordance with the applicable Agreement, as follows: ? We noted that 6 of the 16 draws (38 percent) were not performed on the 5-day approved draw pattern in place after October 13, 2021 and instead, were performed on a 4-day draw pattern. ? We also noted that 2 of the 9 draws (22 percent) sampled from the first Agreement were not completed in accordance with the 4-day approved draw pattern in place prior to October 13, 2021 and, instead, were performed on a 5-day draw pattern. Why did this problem occur? The Department did not have appropriate internal controls over its federal grant cash management process during Fiscal Year 2022. Specifically, the Department conducted an analysis on the draw pattern for Highway Planning and Construction in early Fiscal Year 2022 and determined that its draws were occurring within 5 rather than 4 days, so the Department requested and received approval from the U.S. Department of the Treasury to change from a 4 day draw pattern to a 5-day draw pattern; however, the Department did not properly communicate the change in the Agreement for the Highway Planning and Construction?s draw pattern to the primary individuals responsible for preparing and approving the draws. As a result, the billing procedure was not updated to reflect the change in draw pattern, which led to the draws being out of compliance with the approved CMIA draw pattern. Why does this problem matter? The timing of draws for requesting federal funds impacts the interest neutral requirements under the CMIA. By drawing funds early, the Department creates a risk that the State my ultimately owe interest charges to the federal government. Further, the Department?s lack of strong cash management internal controls may result in delays in the identification of expenditures for which reimbursement has not been requested and therefore, funds upon which the State has lost interest. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-077 The Department Transportation (Department) should strengthen its internal controls and processes over and ensure that it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by: A. Ensuring that Department personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern applicable for the current fiscal year, including any federally-approved changes that occur during the year. B. Establishing procedures that specify draw request dates in relation to Program expenditures that ensure required draw patterns are met. Response Colorado Department of Transportation A. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with the federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by ensuring personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern for the applicable fiscal year in which the draws occur including federally-approved changes during the year. Personnel responsible for the draw will review the approved draw letter from the State Treasury with a secondary verification on the Federal Site, www.fiscal.treasury.gov/cmia/resources-treasury-state-agreements.hmtl for the specified timeframe before conducting the draw. B. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by establishing and maintaining formal procedures that specify the draw request dates in relation to the program expenditures to ensure required draw patterns are met. The process to implement changes to the cash draw pattern will be added to the draw procedure by March 2023.
Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.
Finding 2022-077 Cash Management The Department operates on a reimbursement basis with the federal government for a portion of its federal grant programs, expending state dollars for the federal programs prior to requesting reimbursement for the appropriate federal share. The reimbursement process is governed by the Cash Management Improvement Act of 1990 (CMIA) and 31 CFR Part 205 Part B, Rules and Procedures for Efficient Federal-State Funds Transfers (Transfer Rules), which prescribe specific methods and timeframes for drawing down federal funds. The purpose of CMIA and the Transfer Rules is to minimize the time period from when the State makes an expenditure for a federal program and when the federal reimbursement is received, so that neither the State nor the federal government incurs a loss of interest on the funds. This timeframe for requesting reimbursement is referred to as the ?draw pattern.? Under CMIA, the State must enter into a formal agreement, referred to as the ?Treasury-State Agreement,? (Agreement) with the U.S. Department of the Treasury to establish reimbursement schedules for selected federal programs that have been awarded to the State. In Colorado, the Department of Treasury (Treasury), on behalf of all departments in the State, enters into the Agreement with the U.S. Department of the Treasury. For Fiscal Year 2022, Colorado?s CMIA Agreement included 10 programs administered by various state agencies. The Department has one federal program that is included in the Agreement. Specifically, the Department?s Highway Planning and Construction [ALN 20.205] is included in this Agreement. During Fiscal Year 2022, the Department expended $510.0 million in Highway Planning and Construction funds. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department?s internal controls over its cash draw process and to determine whether the Department was in compliance with CMIA for the Highway Planning and Construction program during Fiscal Year 2022. As part of our audit, we tested the Department?s internal controls and compliance over its cash management process for the Highway Planning and Construction program. We tested a sample of 25 expenditures and the related draws the Department made for the program during Fiscal Year 2022 and calculated the number of days between each sampled expenditure and related federal draw and compared our results to the CMIA requirements in place at the time the draw occurred. Within our sample, draws for nine of the expenditures were performed prior to October 13, when the 4-day draw pattern was in place; draws for 16 expenditures were performed after October 13 on the 5-day pattern. How were the results of the audit work measured? Under CMIA rules, draw patterns should be interest-neutral between the State?s expenditure and receipt of federal funds. We compared the results of our testwork against the regulations within the CMIA for payments clearing the State?s bank that should result in the receipt of the federal reimbursements within specific timeframe as noted below: The Agreement in place at the beginning of Fiscal Year 2022 specified a 4-day draw pattern for Highway Planning and Construction. Therefore, the time between when the Department?s expenditure was made and when federal funds were received should have been 4 days. In October 2021, however, the Department requested the draw pattern be changed from 4 days to 5 days. This request was approved by the U.S. Department of the Treasury on October 13, 2021. What problem did the audit work identify? We determined that the Department did not comply with the approved cash management draw patterns contained in the Agreements for the Highway Planning and Construction program for Fiscal Year 2022. Overall, 8 of the 25 draws (32 percent) were not made in accordance with the applicable Agreement, as follows: ? We noted that 6 of the 16 draws (38 percent) were not performed on the 5-day approved draw pattern in place after October 13, 2021 and instead, were performed on a 4-day draw pattern. ? We also noted that 2 of the 9 draws (22 percent) sampled from the first Agreement were not completed in accordance with the 4-day approved draw pattern in place prior to October 13, 2021 and, instead, were performed on a 5-day draw pattern. Why did this problem occur? The Department did not have appropriate internal controls over its federal grant cash management process during Fiscal Year 2022. Specifically, the Department conducted an analysis on the draw pattern for Highway Planning and Construction in early Fiscal Year 2022 and determined that its draws were occurring within 5 rather than 4 days, so the Department requested and received approval from the U.S. Department of the Treasury to change from a 4 day draw pattern to a 5-day draw pattern; however, the Department did not properly communicate the change in the Agreement for the Highway Planning and Construction?s draw pattern to the primary individuals responsible for preparing and approving the draws. As a result, the billing procedure was not updated to reflect the change in draw pattern, which led to the draws being out of compliance with the approved CMIA draw pattern. Why does this problem matter? The timing of draws for requesting federal funds impacts the interest neutral requirements under the CMIA. By drawing funds early, the Department creates a risk that the State my ultimately owe interest charges to the federal government. Further, the Department?s lack of strong cash management internal controls may result in delays in the identification of expenditures for which reimbursement has not been requested and therefore, funds upon which the State has lost interest. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-077 The Department Transportation (Department) should strengthen its internal controls and processes over and ensure that it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by: A. Ensuring that Department personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern applicable for the current fiscal year, including any federally-approved changes that occur during the year. B. Establishing procedures that specify draw request dates in relation to Program expenditures that ensure required draw patterns are met. Response Colorado Department of Transportation A. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with the federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by ensuring personnel responsible for preparing and reviewing the cash draw requests are adequately informed of the draw pattern for the applicable fiscal year in which the draws occur including federally-approved changes during the year. Personnel responsible for the draw will review the approved draw letter from the State Treasury with a secondary verification on the Federal Site, www.fiscal.treasury.gov/cmia/resources-treasury-state-agreements.hmtl for the specified timeframe before conducting the draw. B. Agree Implementation Date: March 2023 The Department will enhance its internal controls and processes to ensure it complies with federal Cash Management Improvement Act requirements for the federal Highway Planning and Construction Program (Program) by establishing and maintaining formal procedures that specify the draw request dates in relation to the program expenditures to ensure required draw patterns are met. The process to implement changes to the cash draw pattern will be added to the draw procedure by March 2023.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Transportation (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-068 The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department in the previous year and has not been remediated as of June 30, 2021, because the original implementation date provided by the Department is in a subsequent fiscal year. This complete finding and recommendation can be found in the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-075 FORMULA GRANTS FOR RURAL AREAS?INTERNAL CONTROLS AND COMPLIANCE WITH SUBRECIPIENT MONITORING The Department received funding from the Federal Transit Authority (FTA) for the Program during Fiscal Year 2020 and expended approximately $26.8 million under the Program; the expenditures included approximately $16.9 million from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The objective of this Program is to initiate, improve, or continue public transportation services in rural areas. FTA provides financial and technical assistance to local public transit systems, including buses, subways, light rail, commuter rail, trolleys, and ferries. FTA also oversees safety measures and helps develop next-generation technology research. Approximately $26.0 million (97 percent) of the Program funds expended by the Department were passed through to subrecipients in order to carry out a portion of the Program. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to determine whether the Department had effective internal controls in place during Fiscal Year 2020 over the Program, and complied with the Program?s subrecipient monitoring activities. As part of our audit work, we reviewed the Department?s internal controls over compliance for the Program?s subrecipient monitoring. In addition, we tested a random sample of five of 45 Program subrecipients for Fiscal Year 2020 to determine whether the subrecipient monitoring procedures the Department performed during the year were compliant with federal requirements. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Our audit work was designed to measure the results of compliance with the following criteria: ? Federal regulations [2 CFR 200.332(b)] require that the Department evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. Federal regulations [2 CFR 200.332(d)-(f)] also require the Department to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. Monitoring must include: ? Reviewing financial and programmatic reports. ? Following up and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award. ? Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity, as required by 2 CFR 200.521. ? Federal regulation [2 CFR 200.303] states that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The Department?s internal control policies and procedures require the Internal Audit Division to obtain and review single audit certification forms, whereby subrecipients are required to certify whether they are subject to a Single Audit. Internal Audit Division staff are required to review each certification and related Single Audit report, as applicable, and perform follow-up activities related to deficiencies and audit findings. ? Additionally, the Department is required to report the total amount of federal awards expended to the Office of the State Controller (OSC) via the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 is the document through which state departments report federal expenditure information to the OSC, including separate columns to indicate types of expenditures, for statewide compilation and reporting. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified issues related to two of the five (40 percent) Program subrecipients identified by the Department for Fiscal Year 2020 as follows: ? The Department did not take sufficient steps to address one subrecipient?s failure to obtain a 2019 Single Audit. Specifically, the subrecipient received approximately $78,500 in pass-through Program funding from the Department and communicated to the Department in its single audit certification for the year ending December 31, 2019, that it was subject to a Single Audit; however, that audit had not been conducted as of the completion of our Fiscal Year 2020 audit testwork in April 2021. While it appeared that the Department communicated various times with the subrecipient about the missing audit, the Department did not assess possible impacts from the missing audit or take any action to institute alternate monitoring procedures of the subrecipient. ? For the second subrecipient tested, the Department inappropriately considered the entity to be a subrecipient rather than a vendor and incorrectly reported $20,936 in funds paid to the entity as subrecipient expenditures on its Exhibit K1 submitted to the OSC. WHY DID THESE PROBLEMS OCCUR? The Department?s subrecipient policies and procedures are voluminous and performed throughout multiple divisions within the Department. Therefore, the results of monitoring procedures performed are documented in various areas and not contained in one central location. The Department also does not have policies and procedures in place to identify appropriate actions to be taken when issues are identified. In addition, the Department lacks a process for analyzing the types of entities it is contracting with for the Program in order to separately identify the entities as vendors or subrecipients; rather, staff indicated that, during the contracting process, all contract expenditures related to this Program are recorded as subrecipient expenditures, including service-related or vendor contracts. WHY DO THESE PROBLEMS MATTER? Performing timely and appropriate identification and monitoring of subrecipients, including ensuring that they undergo required Single Audits, provides the Department with a method to identify federal grant-related issues and to ensure its compliance with federal subrecipient monitoring requirements. By taking appropriate actions to address the results of its monitoring, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with Program requirements. This is particularly important because the Department passes 97 percent of these Program funds to subrecipients. The Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-075 The Department of Transportation (Department) should ensure that it improves its internal controls over, and complies with, federal Formula Grants for Rural Areas and Tribal Transit Program requirements for subrecipient monitoring by: A Ensuring that subrecipient monitoring policies and procedures are centralized, condensed, and available to all personnel who are responsible for performing subrecipient monitoring activities. The policies and procedures should clearly list responsibilities for each division within the Department and be inclusive of all monitoring activities performed and contain clear directives for acting on subrecipients? failure to comply with requirements, including providing its single audit report, by assessing possible impacts from the noncompliance and instituting appropriate alternative procedures. B Implementing a process for analyzing its contracted entities during the contracting and awarding process by reviewing the nature and terms of contracts, separately identifying the contracted entities as vendors or subrecipients, and recording the contract expenditures appropriately based on this assessment. RESPONSE DEPARTMENT OF TRANSPORTATION A AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include identifying a centralized location for all policies and procedures related to subrecipient monitoring. We will look at all policies and procedures to ensure they clearly identify responsibilities and requirements for non-compliance. B AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include establishing a process by which an analysis of contracted entities will be performed to identify and properly record entities as a vendor or subrecipient.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Transportation (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-068 The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department in the previous year and has not been remediated as of June 30, 2021, because the original implementation date provided by the Department is in a subsequent fiscal year. This complete finding and recommendation can be found in the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-075 FORMULA GRANTS FOR RURAL AREAS?INTERNAL CONTROLS AND COMPLIANCE WITH SUBRECIPIENT MONITORING The Department received funding from the Federal Transit Authority (FTA) for the Program during Fiscal Year 2020 and expended approximately $26.8 million under the Program; the expenditures included approximately $16.9 million from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The objective of this Program is to initiate, improve, or continue public transportation services in rural areas. FTA provides financial and technical assistance to local public transit systems, including buses, subways, light rail, commuter rail, trolleys, and ferries. FTA also oversees safety measures and helps develop next-generation technology research. Approximately $26.0 million (97 percent) of the Program funds expended by the Department were passed through to subrecipients in order to carry out a portion of the Program. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to determine whether the Department had effective internal controls in place during Fiscal Year 2020 over the Program, and complied with the Program?s subrecipient monitoring activities. As part of our audit work, we reviewed the Department?s internal controls over compliance for the Program?s subrecipient monitoring. In addition, we tested a random sample of five of 45 Program subrecipients for Fiscal Year 2020 to determine whether the subrecipient monitoring procedures the Department performed during the year were compliant with federal requirements. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Our audit work was designed to measure the results of compliance with the following criteria: ? Federal regulations [2 CFR 200.332(b)] require that the Department evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. Federal regulations [2 CFR 200.332(d)-(f)] also require the Department to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. Monitoring must include: ? Reviewing financial and programmatic reports. ? Following up and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award. ? Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity, as required by 2 CFR 200.521. ? Federal regulation [2 CFR 200.303] states that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The Department?s internal control policies and procedures require the Internal Audit Division to obtain and review single audit certification forms, whereby subrecipients are required to certify whether they are subject to a Single Audit. Internal Audit Division staff are required to review each certification and related Single Audit report, as applicable, and perform follow-up activities related to deficiencies and audit findings. ? Additionally, the Department is required to report the total amount of federal awards expended to the Office of the State Controller (OSC) via the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 is the document through which state departments report federal expenditure information to the OSC, including separate columns to indicate types of expenditures, for statewide compilation and reporting. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified issues related to two of the five (40 percent) Program subrecipients identified by the Department for Fiscal Year 2020 as follows: ? The Department did not take sufficient steps to address one subrecipient?s failure to obtain a 2019 Single Audit. Specifically, the subrecipient received approximately $78,500 in pass-through Program funding from the Department and communicated to the Department in its single audit certification for the year ending December 31, 2019, that it was subject to a Single Audit; however, that audit had not been conducted as of the completion of our Fiscal Year 2020 audit testwork in April 2021. While it appeared that the Department communicated various times with the subrecipient about the missing audit, the Department did not assess possible impacts from the missing audit or take any action to institute alternate monitoring procedures of the subrecipient. ? For the second subrecipient tested, the Department inappropriately considered the entity to be a subrecipient rather than a vendor and incorrectly reported $20,936 in funds paid to the entity as subrecipient expenditures on its Exhibit K1 submitted to the OSC. WHY DID THESE PROBLEMS OCCUR? The Department?s subrecipient policies and procedures are voluminous and performed throughout multiple divisions within the Department. Therefore, the results of monitoring procedures performed are documented in various areas and not contained in one central location. The Department also does not have policies and procedures in place to identify appropriate actions to be taken when issues are identified. In addition, the Department lacks a process for analyzing the types of entities it is contracting with for the Program in order to separately identify the entities as vendors or subrecipients; rather, staff indicated that, during the contracting process, all contract expenditures related to this Program are recorded as subrecipient expenditures, including service-related or vendor contracts. WHY DO THESE PROBLEMS MATTER? Performing timely and appropriate identification and monitoring of subrecipients, including ensuring that they undergo required Single Audits, provides the Department with a method to identify federal grant-related issues and to ensure its compliance with federal subrecipient monitoring requirements. By taking appropriate actions to address the results of its monitoring, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with Program requirements. This is particularly important because the Department passes 97 percent of these Program funds to subrecipients. The Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-075 The Department of Transportation (Department) should ensure that it improves its internal controls over, and complies with, federal Formula Grants for Rural Areas and Tribal Transit Program requirements for subrecipient monitoring by: A Ensuring that subrecipient monitoring policies and procedures are centralized, condensed, and available to all personnel who are responsible for performing subrecipient monitoring activities. The policies and procedures should clearly list responsibilities for each division within the Department and be inclusive of all monitoring activities performed and contain clear directives for acting on subrecipients? failure to comply with requirements, including providing its single audit report, by assessing possible impacts from the noncompliance and instituting appropriate alternative procedures. B Implementing a process for analyzing its contracted entities during the contracting and awarding process by reviewing the nature and terms of contracts, separately identifying the contracted entities as vendors or subrecipients, and recording the contract expenditures appropriately based on this assessment. RESPONSE DEPARTMENT OF TRANSPORTATION A AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include identifying a centralized location for all policies and procedures related to subrecipient monitoring. We will look at all policies and procedures to ensure they clearly identify responsibilities and requirements for non-compliance. B AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include establishing a process by which an analysis of contracted entities will be performed to identify and properly record entities as a vendor or subrecipient.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Transportation (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-068 The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department in the previous year and has not been remediated as of June 30, 2021, because the original implementation date provided by the Department is in a subsequent fiscal year. This complete finding and recommendation can be found in the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-075 FORMULA GRANTS FOR RURAL AREAS?INTERNAL CONTROLS AND COMPLIANCE WITH SUBRECIPIENT MONITORING The Department received funding from the Federal Transit Authority (FTA) for the Program during Fiscal Year 2020 and expended approximately $26.8 million under the Program; the expenditures included approximately $16.9 million from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The objective of this Program is to initiate, improve, or continue public transportation services in rural areas. FTA provides financial and technical assistance to local public transit systems, including buses, subways, light rail, commuter rail, trolleys, and ferries. FTA also oversees safety measures and helps develop next-generation technology research. Approximately $26.0 million (97 percent) of the Program funds expended by the Department were passed through to subrecipients in order to carry out a portion of the Program. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to determine whether the Department had effective internal controls in place during Fiscal Year 2020 over the Program, and complied with the Program?s subrecipient monitoring activities. As part of our audit work, we reviewed the Department?s internal controls over compliance for the Program?s subrecipient monitoring. In addition, we tested a random sample of five of 45 Program subrecipients for Fiscal Year 2020 to determine whether the subrecipient monitoring procedures the Department performed during the year were compliant with federal requirements. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Our audit work was designed to measure the results of compliance with the following criteria: ? Federal regulations [2 CFR 200.332(b)] require that the Department evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. Federal regulations [2 CFR 200.332(d)-(f)] also require the Department to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. Monitoring must include: ? Reviewing financial and programmatic reports. ? Following up and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award. ? Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity, as required by 2 CFR 200.521. ? Federal regulation [2 CFR 200.303] states that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The Department?s internal control policies and procedures require the Internal Audit Division to obtain and review single audit certification forms, whereby subrecipients are required to certify whether they are subject to a Single Audit. Internal Audit Division staff are required to review each certification and related Single Audit report, as applicable, and perform follow-up activities related to deficiencies and audit findings. ? Additionally, the Department is required to report the total amount of federal awards expended to the Office of the State Controller (OSC) via the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 is the document through which state departments report federal expenditure information to the OSC, including separate columns to indicate types of expenditures, for statewide compilation and reporting. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified issues related to two of the five (40 percent) Program subrecipients identified by the Department for Fiscal Year 2020 as follows: ? The Department did not take sufficient steps to address one subrecipient?s failure to obtain a 2019 Single Audit. Specifically, the subrecipient received approximately $78,500 in pass-through Program funding from the Department and communicated to the Department in its single audit certification for the year ending December 31, 2019, that it was subject to a Single Audit; however, that audit had not been conducted as of the completion of our Fiscal Year 2020 audit testwork in April 2021. While it appeared that the Department communicated various times with the subrecipient about the missing audit, the Department did not assess possible impacts from the missing audit or take any action to institute alternate monitoring procedures of the subrecipient. ? For the second subrecipient tested, the Department inappropriately considered the entity to be a subrecipient rather than a vendor and incorrectly reported $20,936 in funds paid to the entity as subrecipient expenditures on its Exhibit K1 submitted to the OSC. WHY DID THESE PROBLEMS OCCUR? The Department?s subrecipient policies and procedures are voluminous and performed throughout multiple divisions within the Department. Therefore, the results of monitoring procedures performed are documented in various areas and not contained in one central location. The Department also does not have policies and procedures in place to identify appropriate actions to be taken when issues are identified. In addition, the Department lacks a process for analyzing the types of entities it is contracting with for the Program in order to separately identify the entities as vendors or subrecipients; rather, staff indicated that, during the contracting process, all contract expenditures related to this Program are recorded as subrecipient expenditures, including service-related or vendor contracts. WHY DO THESE PROBLEMS MATTER? Performing timely and appropriate identification and monitoring of subrecipients, including ensuring that they undergo required Single Audits, provides the Department with a method to identify federal grant-related issues and to ensure its compliance with federal subrecipient monitoring requirements. By taking appropriate actions to address the results of its monitoring, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with Program requirements. This is particularly important because the Department passes 97 percent of these Program funds to subrecipients. The Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-075 The Department of Transportation (Department) should ensure that it improves its internal controls over, and complies with, federal Formula Grants for Rural Areas and Tribal Transit Program requirements for subrecipient monitoring by: A Ensuring that subrecipient monitoring policies and procedures are centralized, condensed, and available to all personnel who are responsible for performing subrecipient monitoring activities. The policies and procedures should clearly list responsibilities for each division within the Department and be inclusive of all monitoring activities performed and contain clear directives for acting on subrecipients? failure to comply with requirements, including providing its single audit report, by assessing possible impacts from the noncompliance and instituting appropriate alternative procedures. B Implementing a process for analyzing its contracted entities during the contracting and awarding process by reviewing the nature and terms of contracts, separately identifying the contracted entities as vendors or subrecipients, and recording the contract expenditures appropriately based on this assessment. RESPONSE DEPARTMENT OF TRANSPORTATION A AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include identifying a centralized location for all policies and procedures related to subrecipient monitoring. We will look at all policies and procedures to ensure they clearly identify responsibilities and requirements for non-compliance. B AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include establishing a process by which an analysis of contracted entities will be performed to identify and properly record entities as a vendor or subrecipient.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Transportation (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-068 The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department in the previous year and has not been remediated as of June 30, 2021, because the original implementation date provided by the Department is in a subsequent fiscal year. This complete finding and recommendation can be found in the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-075 FORMULA GRANTS FOR RURAL AREAS?INTERNAL CONTROLS AND COMPLIANCE WITH SUBRECIPIENT MONITORING The Department received funding from the Federal Transit Authority (FTA) for the Program during Fiscal Year 2020 and expended approximately $26.8 million under the Program; the expenditures included approximately $16.9 million from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The objective of this Program is to initiate, improve, or continue public transportation services in rural areas. FTA provides financial and technical assistance to local public transit systems, including buses, subways, light rail, commuter rail, trolleys, and ferries. FTA also oversees safety measures and helps develop next-generation technology research. Approximately $26.0 million (97 percent) of the Program funds expended by the Department were passed through to subrecipients in order to carry out a portion of the Program. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to determine whether the Department had effective internal controls in place during Fiscal Year 2020 over the Program, and complied with the Program?s subrecipient monitoring activities. As part of our audit work, we reviewed the Department?s internal controls over compliance for the Program?s subrecipient monitoring. In addition, we tested a random sample of five of 45 Program subrecipients for Fiscal Year 2020 to determine whether the subrecipient monitoring procedures the Department performed during the year were compliant with federal requirements. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Our audit work was designed to measure the results of compliance with the following criteria: ? Federal regulations [2 CFR 200.332(b)] require that the Department evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. Federal regulations [2 CFR 200.332(d)-(f)] also require the Department to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. Monitoring must include: ? Reviewing financial and programmatic reports. ? Following up and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award. ? Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity, as required by 2 CFR 200.521. ? Federal regulation [2 CFR 200.303] states that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The Department?s internal control policies and procedures require the Internal Audit Division to obtain and review single audit certification forms, whereby subrecipients are required to certify whether they are subject to a Single Audit. Internal Audit Division staff are required to review each certification and related Single Audit report, as applicable, and perform follow-up activities related to deficiencies and audit findings. ? Additionally, the Department is required to report the total amount of federal awards expended to the Office of the State Controller (OSC) via the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 is the document through which state departments report federal expenditure information to the OSC, including separate columns to indicate types of expenditures, for statewide compilation and reporting. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified issues related to two of the five (40 percent) Program subrecipients identified by the Department for Fiscal Year 2020 as follows: ? The Department did not take sufficient steps to address one subrecipient?s failure to obtain a 2019 Single Audit. Specifically, the subrecipient received approximately $78,500 in pass-through Program funding from the Department and communicated to the Department in its single audit certification for the year ending December 31, 2019, that it was subject to a Single Audit; however, that audit had not been conducted as of the completion of our Fiscal Year 2020 audit testwork in April 2021. While it appeared that the Department communicated various times with the subrecipient about the missing audit, the Department did not assess possible impacts from the missing audit or take any action to institute alternate monitoring procedures of the subrecipient. ? For the second subrecipient tested, the Department inappropriately considered the entity to be a subrecipient rather than a vendor and incorrectly reported $20,936 in funds paid to the entity as subrecipient expenditures on its Exhibit K1 submitted to the OSC. WHY DID THESE PROBLEMS OCCUR? The Department?s subrecipient policies and procedures are voluminous and performed throughout multiple divisions within the Department. Therefore, the results of monitoring procedures performed are documented in various areas and not contained in one central location. The Department also does not have policies and procedures in place to identify appropriate actions to be taken when issues are identified. In addition, the Department lacks a process for analyzing the types of entities it is contracting with for the Program in order to separately identify the entities as vendors or subrecipients; rather, staff indicated that, during the contracting process, all contract expenditures related to this Program are recorded as subrecipient expenditures, including service-related or vendor contracts. WHY DO THESE PROBLEMS MATTER? Performing timely and appropriate identification and monitoring of subrecipients, including ensuring that they undergo required Single Audits, provides the Department with a method to identify federal grant-related issues and to ensure its compliance with federal subrecipient monitoring requirements. By taking appropriate actions to address the results of its monitoring, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with Program requirements. This is particularly important because the Department passes 97 percent of these Program funds to subrecipients. The Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-075 The Department of Transportation (Department) should ensure that it improves its internal controls over, and complies with, federal Formula Grants for Rural Areas and Tribal Transit Program requirements for subrecipient monitoring by: A Ensuring that subrecipient monitoring policies and procedures are centralized, condensed, and available to all personnel who are responsible for performing subrecipient monitoring activities. The policies and procedures should clearly list responsibilities for each division within the Department and be inclusive of all monitoring activities performed and contain clear directives for acting on subrecipients? failure to comply with requirements, including providing its single audit report, by assessing possible impacts from the noncompliance and instituting appropriate alternative procedures. B Implementing a process for analyzing its contracted entities during the contracting and awarding process by reviewing the nature and terms of contracts, separately identifying the contracted entities as vendors or subrecipients, and recording the contract expenditures appropriately based on this assessment. RESPONSE DEPARTMENT OF TRANSPORTATION A AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include identifying a centralized location for all policies and procedures related to subrecipient monitoring. We will look at all policies and procedures to ensure they clearly identify responsibilities and requirements for non-compliance. B AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include establishing a process by which an analysis of contracted entities will be performed to identify and properly record entities as a vendor or subrecipient.